Interlock Ransomware Group: A New Threat on the Rise

Interlock Ransomware Attacks

Interlock ransomware first appeared in September 2024. Since then, it has launched over 60 confirmed attacks on businesses and infrastructure. It targets both Windows and Linux virtual machines. Armed with custom loaders and stealthy RAT tools, attackers move quickly across networks after seizing initial access.

Moreover, Interlock uses double‑extortion. It first steals data, then encrypts it, threatening victims with public exposure. Unlike typical ransomware notes, Interlock demands victims visit a Tor-based negotiation site.

Attack Methods and Tactics

Initially, Interlock gains access via drive‑by downloads or deceptive prompts. These tactics prompt users to run malicious PowerShell scripts via fake clicks. Known as the ClickFix method, this deception lowers detection risk.

Once inside, Interlock deploys credential‑stealers such as Lumma and Berserk, and remote instruments like Cobalt Strike, AnyDesk, PuTTY, and ScreenConnect. It disables defense and backup systems, deletes shadow copies, and encrypts files with AES and RSA, appending the .interlock or .1nt3rlock extension. Its modular nature adds stealth and persistence.

According to a joint advisory, U.S. agencies confirm Interlock attacks target healthcare, public services, and manufacturing across North America and Europe. Notable victims include DaVita, Kettering Health, and West Lothian Council.

Eye World’s Cybersecurity Readiness Recommendations

As threat activity increases, Eye World recommends focusing on proactive defence and layered security:

  1. Apply DNS filtering and web access firewalls to block phishing and drive‑by download sources.
  2. Patch systems regularly, especially on critical infrastructure and virtual environments.
  3. Segment networks and restrict lateral movement through Zero Trust design.
  4. Enforce multi‑factor authentication across critical accounts and services.
  5. Deploy strong EDR and detection tools to monitor unusual behaviors.
  6. Train staff on social engineering and ClickFix techniques to spot manipulation.

These practices align closely with CISA, FBI, HHS, and MS‑ISAC guidance for mitigating Interlock threats.

Why Eye World Readers Must Act Now

Interlock’s strategy—the combination of exfiltration and file encryption—delivers devastating operational impact. The absence of ransom amounts in notes and use of Tor-based negotiation increases pressure. Organizations must enhance their resilience or risk costly incident fallout.

If your organisation supports remote access, virtual environments, or critical services—particularly in healthcare or industrial sectors—implement these measures without delay.

Facebook
X
LinkedIn
Picture of Fredrik Bjoerklund
Fredrik Bjoerklund
Fredrik Björklund serves as the CEO of Eye World, bringing with him over two decades of experience in internet-based industries. With a strong background in Internet and Cybersecurity, Fredrik is recognized as a seasoned expert in digital risk management, online infrastructure, and the ever-evolving cybersecurity landscape. His deep understanding of the digital world positions him as a trusted voice in the industry. As part of his leadership role, Fredrik will take an active position in curating and reporting on global cybersecurity developments. He will regularly update the Eye News Section with the latest insights, emerging threats, and critical updates in the cybersecurity domain, ensuring readers are well-informed in an increasingly digital and vulnerable world.