Interlock Ransomware With Double Extortion Tactics Attacking Windows and Linux Systems
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, Department of Health and Human Services, and Multi-State Information Sharing and Analysis Center have issued an urgent joint advisory warning of escalating attacks by the Interlock ransomware group, which has been targeting businesses and critical infrastructure sectors since late September 2024.
The newly emerged Interlock variant represents a particularly sophisticated threat, employing unconventional attack methods that set it apart from typical ransomware operations.
Unlike many cybercriminal groups, Interlock actors gain initial access through drive-by downloads from compromised legitimate websites, an uncommon technique in the ransomware landscape that makes detection more challenging.
“Interlock actors are opportunistic and financially motivated, targeting victims based on opportunity rather than specific industry focus,” according to the CISA advisory released today.
The group has successfully infiltrated organizations across North America and Europe, demonstrating their broad operational reach and adaptability.
Double Extortion Amplifies Threat
Central to Interlock’s strategy is the use of double extortion tactics, where attackers both encrypt victim data and exfiltrate sensitive information.
This dual approach significantly increases pressure on organizations to pay ransoms, as victims face not only operational disruption but also the threat of public data exposure through the group’s dark web leak site.
The ransomware has been observed targeting both Windows and Linux operating systems, with particular focus on encrypting virtual machines across both platforms. This cross-platform capability makes Interlock especially dangerous for organizations running hybrid IT environments.
Perhaps most concerning is Interlock’s adoption of the ClickFix social engineering technique, where victims are deceived into executing malicious payloads by clicking fake CAPTCHA prompts that appear to resolve system issues.
This method has previously been associated with other malware campaigns but represents a new evolution in ransomware delivery methods.
“Victims are provided with a unique code and are instructed to contact the ransomware group via a .onion URL through the Tor browser,” the advisory states.
Unlike many ransomware groups, Interlock does not include initial ransom demands in its notes; instead, it establishes direct communication channels for negotiations.
Tools Leveraged by Interlock Ransomware Actors
| Tool Name | Description |
|---|---|
| AnyDesk | A remote monitoring and management (RMM) tool used by threat actors for remote access and persistence. It also facilitates remote file transfers. |
| Cobalt Strike | A penetration testing tool designed for security professionals, which has been co-opted by the actors. |
| PowerShell | A cross-platform task automation and configuration management framework used for scripting malicious activities on Windows, Linux, and macOS. |
| PSExec | A tool for executing programs and commands on remote systems. |
| PuTTY.exe | An open-source application for remote system connections via SSH, also supporting file transfer protocols like SFTP and SCP. |
| ScreenConnect | Remote support and access software. Interlock actors have been observed using a cracked version of this tool. |
| SystemBC | A tool that enables actors to compromise systems, execute commands, download payloads, and act as a proxy to command and control (C2) servers. |
| Windows Console Host | The conhost.exe manages the user interface for command-line applications and has been used in these attacks. |
| WinSCP | A free, open-source client for secure file transfers using SFTP, FTP, WebDAV, and other protocols. |
Critical Infrastructure at Risk
The targeting of critical infrastructure sectors raises particular concerns about potential service disruptions. Federal investigators note that while current attacks have focused primarily on encrypting virtual machines, there is potential for expansion to physical servers and workstations in future campaigns.
To counter these threats, CISA recommends organizations implement robust endpoint detection and response (EDR) capabilities, particularly for virtual machine environments. Additional protective measures include DNS filtering, web access firewalls, network segmentation, and comprehensive user training on social engineering recognition.
FBI investigations, continuing as recently as June 2025, have revealed similarities between Interlock and the previously known Rhysida ransomware variant, suggesting possible connections or shared technical resources between the groups.
The joint advisory represents part of the ongoing #StopRansomware initiative, providing network defenders with detailed technical indicators and mitigation strategies to protect against this emerging threat.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
