The U.S. Department of Health and Human Services (HHS), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have jointly issued a cybersecurity advisory detailing the Interlock ransomware variant.
First observed in September 2024, Interlock has been targeting businesses and critical infrastructure in North America and Europe, utilizing an uncommon drive-by download method for initial access, often delivered via compromised legitimate websites or through a deceptive technique called “ClickFix.” The ransomware affects both Windows and Linux environments, specifically targeting virtual machines while using a double extortion strategy—encrypting files and stealing data to coerce victims into paying. Victims receive a ransom note with instructions to contact the attackers via the Tor network but no initial demand, increasing pressure through the threat of data leaks. Interlock’s command and control is maintained through tools like Cobalt Strike, SystemBC, and AnyDesk, while credential theft and lateral movement are achieved using stealers and remote access tools.
The advisory also highlights similarities between Interlock and Rhysida ransomware and urges organizations to apply mitigation strategies outlined in the report to reduce the risk and impact of an Interlock attack. For additional resources and technical details, including indicators of compromise, refer to the cybersecurity advisory and stopransomware.gov.