Interlock ransomware gang running amock, targeting North America and Europe, CISA warns

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday is warning businesses in North America and Europe to harden their systems against a new Interlock ransomware variant.

The fledgling but potent hacker group has been stepping up its number of attacks and changing tactics in recent months, according to a new joint #StopRansomware advisory released Tuesday.

First appearing on the ransomware scene in fall 2024, the double extortionists are known to target various critical infrastructure organizations and sectors, including healthcare, education, tech, government, and manufacturing.

“These actors are opportunistic and financially motivated in nature and employ tactics to infiltrate and disrupt the victim’s ability to provide their essential services,” CISA says.

🛡️Interlock ransomware actors continue to target businesses and #CriticalInfrastructure organizations in North America and Europe. Review known TTPs & IOCs in our joint Cybersecurity Advisory. 👉https://t.co/7Opb7u6UPi #StopRansomware pic.twitter.com/PZSpkdDFJ8

undefined Cybersecurity and Infrastructure Security Agency (@CISAgov) July 22, 2025

“Interlock Ransomware serves as a stark example of how dangerous and unpredictable today’s ransomware groups have become,” said Nick Tausek, Lead Security Automation Architect at Swimlane.

“Although they were only first discovered in late 2024, the group has been highly active and launched high-profile attacks on medical organizations like DaVita and Kettering Health,” Tausek said.

In May, Interlock made headlines after claiming responsibility for a weeks-long ransomware attack on the Midwest healthcare conglomerate Kettering Health. The attack forced the cancellation of thousands of procedures across its 14 medical centers and over 120 outpatient clinics.

JavaScript to PHP

Interlock has been observed obtaining initial access to its victims via drive-by download from compromised legitimate websites, disguising the malicious payloads as fake Google Chrome or Microsoft Edge browser updates, an atypical method for ransomware actors, the FBI says.

The group is also known for using the “ClickFix social engineering technique,” for example, by tricking users into executing Interlock remote access trojans (RATs) using fake reCAPTCHAs.

“The CAPTCHA contains instructions for users to open the Windows Run window, paste the clipboard contents, and then execute a malicious Base64-encoded PowerShell process,” the advisory states.

The warning comes less than a week after joint research by The DFIR Report and Proofpoint found the group using “a new and resilient variant” of its previously identified JavaScript-based Interlock RAT.

The new variant, which instead uses PHP, appears to be part of a new widespread Kongtuke FileFix malware campaign first seen in June 2025.

Tausek explains that what sets Interlock apart is its tactical diversity.

“The group has used ClickFix attacks to impersonate IT tools and infiltrate networks, deployed remote access trojans (RATs) to deliver malware, and, most recently, adopted double extortion tactics to maximize pressure on victims.”

The Interlock ransomware variants observed by security researchers have similarities to the variants used by the Rhysdia threat group, suggesting Interlock may be an offshoot of the seasoned Russian-linked Rhysida gang.

World Secrets Blog

The group has been seen using both RATs and CobaltStrike tools to quickly establish a remote Command and Control center (C2) before it will typically download PowerShell to install some type of infostealer, such as LumanStealer, and a keylogger binary to “harvest credentials for lateral movement and privilege escalation.”

Interlock deploys its ransomware encryptors for both Windows and Linux operating systems, while also commonly using AnyDesk for remote file transfers.

After encrypting the victim's files using interlock or .1nt3rlock file extensions, the gang will send a note directing the victim to its "Worldwide Secrets Blog" onion address to make contact and pay a ransom demand in Bitcoin.

“Your network was compromised, and we have secured your most vital files,” Interlock wrote to Kettering Health in May, threatening to publish 1TB of data it claimed to have exfiltrated from Kettering’s networks unless an undisclosed ransom demand is paid.

An October 2024 profile on the ransomware gang by Broadcom states that its “victims are cautioned against altering files, using recovery software, or rebooting systems, as these actions could lead to irreversible damage.” Broadcom also said Interlock victims are often given only 96 hours to negotiate.

According to Cybernews’ Ransomlooker tool, the group has claimed at least 35 ransomware victims since January this year, with about half of those attacks taking place in the last six weeks.

“The range and frequency of these attacks highlight how adaptable modern threat actors have become. Attacks now come from multiple vectors, often at once, and organizations must be ready,“ Tausek tells Cybernews.

CISA advises organizations to harden their systems by implementing robust endpoint detection and response (EDR) tooling and capabilities, including patching exposed systems, employing multi-factor authentication, and segmenting networks.

Tuasek says that besides regular patching, network segmentation, and other proactive defenses, “just as critical is equipping employees with the awareness to recognize social engineering attempts before they lead to compromise.”

For a full list of Interlock tactics techniques and procedures (TTPs), indicators of compromise (IOCs), and mitigation recommendations, you can read the complete CISA advosiry here.