Emerging Threat Actor: Interlock Ransomware

Interlock has rapidly evolved into a technically sophisticated and highly disruptive ransomware operation since first emerging in late 2023. The group quickly gained notoriety through a series of destructive attacks that blend custom tooling with aggressive data extortion tactics and operational discipline.

Interlock operates as a closed, non-public affiliate model, requiring trusted referrals and maintaining tight control over affiliate access and operational scope. Within its first year, Interlock has been linked to more than 60 confirmed intrusions, reflecting a growing pace and calculated expansion strategy.

Although not directly tied to any prior ransomware brand, Interlock’s attack structure, tool usage, and emphasis on recovery sabotage bear striking similarities to legacy groups such as BlackCat/ALPHV and LockBit. These similarities include the use of partial encryption to accelerate impact, as well as deliberate targeting of backup and recovery infrastructure.

Initial access is most often obtained through stolen credentials purchased from Initial Access Brokers (IABs) or collected through credential harvesting campaigns. Once inside, Interlock uses a mix of custom loaders and obfuscated PowerShell scripts to deploy its ransomware payload across hybrid Windows and Linux environments with minimal detection.

A recent investigation in the DFIR Report uncovered a new version of the Interlock Remote Access Trojan (RAT), used by the ransomware group known as Interlock or NodeSnake. This updated version is written in PHP instead of JavaScript or Node.js, making it stealthier and more evasive against security tools.

Interlock encrypts data using AES encryption, with RSA used for key protection. Interlock's toolset includes known credential theft utilities such as Mimikatz, along with customized tools that inject into legitimate processes, disable endpoint protections, and evade debugging and analysis tools.

The group aggressively disables recovery capabilities by deleting shadow copies, halting backup agents, and tampering with system restore mechanisms. Persistence is maintained through scheduled tasks, registry changes, and abuse of built-in Windows features, allowing access to survive reboots and remediation attempts. This modular and evasive framework enables rapid compromise and long-term access within victim networks.

Victims span a broad range of sectors including professional services, education, manufacturing, healthcare, and retail, with operations tracked in North America, Europe, and parts of Asia. The group’s opportunistic targeting suggests a focus on organizations that possess sensitive data and may be vulnerable to public exposure or prolonged operational downtime.

Interlock maintains a structured RaaS arrangement in which affiliates typically retain 70 to 80 percent of ransom proceeds, while the core team takes a smaller share. Consistent with other modern ransomware groups, Interlock employs double extortion by exfiltrating sensitive data prior to encryption and hosting victim data on leak sites to pressure for payment.

Since its debut, Interlock has steadily escalated its pace, now linked to more than 80 confirmed ransomware incidents. The group’s growing reach and refined tactics suggest a maturing operation with an expanding footprint. While exact ransom figures are not always disclosed, available reports suggest Interlock customizes demands based on victim profile, with requests ranging from hundreds of thousands to several million dollars.

Through a combination of custom-developed tools, deliberate targeting strategies, and a flexible delivery framework, Interlock has quickly become one of the most capable and dangerous ransomware operations currently active. Check out the most recent advisory on Interlock from the FBI and CISA.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.