Interlock is a ransomware variant first observed in late 2024 and actively targeting organisations in North America and Europe. It employs a financially motivated double extortion model, encrypting and exfiltrating data to pressure victims into payment. Uniquely, Interlock actors use uncommon access methods such as drive-by downloads and deceptive CAPTCHA prompts, expanding the threat landscape for both public and private sector entities. In response, federal agencies including the FBI, CISA, HHS and MS-ISAC have issued a joint advisory outlining tactics used by Interlock actors and specific mitigations to limit exposure and impact.
Unconventional Intrusion and Escalation Techniques
Interlock actors adopt a range of methods to gain initial access and maintain control over targeted systems. Notably, they exploit compromised legitimate websites to deliver malicious payloads disguised as software updates. One tactic involves prompting users to execute malware through a fake CAPTCHA interface, which launches a malicious PowerShell script. Once access is secured, actors drop remote access trojans into startup folders and use registry keys to establish persistence.
Must Read: Strengthening Healthcare Cybersecurity: HIPAA Security Rule Update
After compromising a system, attackers use reconnaissance tools to harvest user and system information, aiding in lateral movement and privilege escalation. PowerShell scripts execute commands to enumerate running services, drives, users and network configurations. Tools such as AnyDesk, PuTTY and PSExec are then used to move between systems and maintain long-term access. Credential theft is also central to Interlock’s strategy, employing stealers like Lumma and Berserk and techniques such as Kerberoasting to compromise administrative accounts.
Encryption, Exfiltration and Double Extortion
Once data is collected, Interlock actors move to encrypt files using a combination of AES and RSA algorithms. These encryptors target virtual machines across Windows and Linux environments, while leaving physical hosts temporarily untouched. Encrypted files typically bear extensions such as .interlock or .1nt3rlock, and are accompanied by ransom notes that direct victims to a Tor-based contact point.
Data exfiltration occurs prior to encryption, supporting Interlock’s double extortion method. Tools like Azure Storage Explorer and AzCopy facilitate transfer of stolen files to actor-controlled cloud storage, while alternatives like WinSCP are used for file-based exfiltration. The encryption payload is often self-deleting, with binaries removed after execution to evade forensic analysis. Ransom demands are not immediately disclosed; instead, actors await contact before demanding payment in Bitcoin and threatening public data release.
Practical Mitigations for Organisational Protection
To mitigate risks posed by Interlock ransomware, organisations should implement a range of technical, administrative and behavioural controls. Preventing initial access is paramount. DNS filtering and web firewalls should be used to block malicious sites, and staff must be trained to recognise and report social engineering attempts. Keeping all systems patched, especially internet-facing assets, significantly reduces exposure to known vulnerabilities.
Network segmentation can limit lateral movement following compromise, while identity management practices such as multifactor authentication add another layer of defence. Monitoring tools should be deployed to detect abnormal network activity, including unauthorised lateral movement. Endpoint detection and response capabilities are particularly important for defending virtualised environments targeted by Interlock.
Additional measures include disabling command-line access for non-essential users, enforcing the principle of least privilege and auditing administrative accounts. Offline, encrypted backups should be maintained and regularly tested for restoration. Organisations are also advised to disable hyperlinks in emails and apply banners to external messages to reduce phishing risks. For high-privilege accounts, just-in-time access protocols can limit unnecessary exposure. Collectively, these mitigations align with established cybersecurity frameworks and help build resilience against advanced ransomware operations.
The Interlock ransomware campaign highlights the evolving nature of cyber threats and the sophisticated methods now employed by financially motivated actors. By leveraging social engineering, legitimate tools and multi-stage intrusion techniques, Interlock actors present a substantial risk to organisations across sectors. However, a well-rounded defence strategy—anchored in robust technical controls, staff awareness and proactive threat detection—can significantly reduce the likelihood and impact of a ransomware incident. The guidance provided by national cybersecurity agencies offers a clear roadmap for organisations to follow in reinforcing their cyber defences.
Source: Cybersecurity & Infrastructure Security Agency
Image Credit: iStock
