Interlock Ransomware: CISA's Latest Advisory and Defense Tactics

In a joint effort to combat rising cyber threats, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a #StopRansomware advisory on July 22, 2025, detailing the activities of the Interlock ransomware group. First observed in late September 2024, Interlock has evolved rapidly, with notable updates and new capabilities emerging by early 2025, including enhanced info-stealing features and version changes noted by private analysts. This opportunistic, financially motivated threat actor has targeted organizations worldwide, employing sophisticated tactics to infiltrate networks, exfiltrate data, and encrypt systems. Below, we explore the advisory's key findings, infection vectors, evolving tactics, and practical defenses to help organizations stay protected.

The #StopRansomware Advisory on Interlock

The advisory, part of the ongoing #StopRansomware initiative, provides indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs) based on FBI investigations as recent as June 2025 and third-party reporting. It highlights Interlock's cross-platform capabilities, affecting both Windows and Linux systems, particularly virtual machines (VMs). While similarities to the Rhysida ransomware variant have been noted in open-source reporting—suggesting possible shared developers or operators—Interlock stands out for its unique initial access methods and focus on double extortion.Interlock actors are described as opportunistic, targeting victims based on vulnerabilities rather than specific industries, though they've shown a preference for critical infrastructure and healthcare sectors. Attacks have been reported across North America and Europe, with at least 50 victims identified since September 2024. The group operates under a Ransomware-as-a-Service (RaaS) model, providing affiliates with custom payloads and infrastructure.

Infection Methods

Interlock employs a mix of unconventional and traditional vectors to gain initial access, making it challenging to detect early:

• Drive-by Downloads: A standout tactic, where actors compromise legitimate websites to deliver malware via unsolicited downloads. This method, rare among ransomware groups, tricks users into executing fake installers (e.g., mimicking Google Chrome or Microsoft Edge updates).
• Phishing and Social Engineering: Lures include fake software updates, IT support impersonation (e.g., ClickFix or FileFix techniques), and phishing emails leading to malicious payloads like PowerShell scripts, keyloggers, or credential stealers.
• RDP Exploits and Remote Access Tools: Post-initial access, actors use RDP for lateral movement, alongside tools like AnyDesk, PuTTY, and remote access trojans (RATs) such as NodeSnake.
• Credential Theft: Tools like LummaStealer and BerserkStealer harvest credentials, enabling escalation and persistence.

Dwell time in victim networks can last up to 17 days before encryption, allowing extensive reconnaissance and data exfiltration.

Observed Tactics and Evolution

Interlock's tactics align with the MITRE ATT&CK framework, emphasizing stealth, exfiltration, and extortion. Key observations include:

• Double Extortion: Actors exfiltrate data before encryption, using tools like Azure Storage Explorer and AZCopy to transfer files to cloud storage (e.g., Azure blobs). Victims face threats of data leaks on the "Worldwide Secrets Blog" site if ransoms aren't paid.
• Encryption Focus: Targets VMs on Windows and Linux (including FreeBSD variants), appending ".interlock" to files and dropping ransom notes like "!README!.txt". Notes provide a unique code for contacting actors via Tor, without initial demands.
• Evasion Techniques: File obfuscation, disguising malware as legitimate tools, clearing system logs, and disabling security tools (e.g., antivirus, EDR).
• Evolution: Since February 2025, private analysts have noted version changes, including integration of new info-stealers (e.g., LummaStealer for credentials and browser data) and RATs like NodeSnake. The group has adapted tactics from Rhysida, evolving under the radar with enhanced cross-platform capabilities and social engineering lures like FileFix. Recent attacks show increased targeting of healthcare and critical infrastructure, with affiliates deploying custom encryptors for specific OSes like FreeBSD servers used in web hosting and storage.

Impacts and Targets

Interlock primarily targets critical infrastructure, including healthcare, technology, government, and manufacturing sectors, leading to operational disruptions, data breaches, and financial losses. Double extortion amplifies pressure, with ransoms ranging from hundreds of thousands to millions of dollars. Worldwide attacks have affected organizations in North America and Europe, with examples including U.S. healthcare providers like Kettering Health and government entities. The focus on VMs and servers can cascade to broader system failures, especially in virtualized environments.

Step-by-Step Guide to Ransomware Prevention

To defend against Interlock and similar threats, follow this structured guide based on the advisory's recommendations:

1. Assess and Patch Vulnerabilities: Conduct regular vulnerability scans and apply patches promptly to OSes, software, and firmware. Prioritize internet-facing systems and known exploited vulnerabilities (e.g., via CISA's KEV catalog).
2. Implement Network Segmentation: Divide networks into isolated zones to limit lateral movement. Use firewalls and VLANs to separate critical assets like VMs from general user access.
3. Deploy Endpoint Detection and Response (EDR): Install and configure EDR tools on all endpoints, especially VMs, to detect anomalous behavior like unauthorized RDP or exfiltration attempts.
4. Backup Data Offline: Create regular, immutable backups stored offline or in air-gapped systems. Test restoration processes quarterly to ensure recoverability without paying ransoms.
5. Enforce Multi-Factor Authentication (MFA): Require MFA for all accounts, particularly remote access, email, and admin privileges. Use phishing-resistant methods like hardware tokens.
6. Train Users on Social Engineering: Educate staff to recognize phishing, fake updates, and suspicious downloads. Simulate attacks to build awareness.
7. Monitor and Filter Traffic: Enable DNS filtering, web access firewalls, and intrusion detection systems to block drive-by downloads and known malicious domains.
8. Limit Remote Access: Disable unnecessary RDP ports, use VPNs with MFA, and monitor for unauthorized tools like AnyDesk.
9. Review Logs and Respond Quickly: Centralize logging and set alerts for indicators like unusual file extensions or data transfers to cloud services.
10. Develop an Incident Response Plan: Outline steps for containment, eradication, and recovery. Conduct tabletop exercises focused on ransomware scenarios.

Additional Defense Tactics

Beyond the guide, adopt these best practices:

• Use Application Allowlisting: Restrict execution to approved software, preventing malware like fake installers.
• Disable Unused Services: Turn off RDP, SMB, and other high-risk protocols if not needed.
• Employ Threat Intelligence: Monitor for IOCs from the advisory, such as specific encryptor hashes or .onion URLs.
• Secure Cloud Environments: Audit Azure and similar services for misconfigurations that could aid exfiltration.

By implementing these measures, organizations can significantly reduce the risk of Interlock infections. For the full advisory and IOCs, visit CISA's website or stopransomware.gov. Stay vigilant—ransomware threats like Interlock continue to evolve, demanding proactive defenses.