Interlock Ransomware

Description

Interlock is an emerging ransomware group first observed in late September 2024, with initial samples appearing on public malware scanning platforms in early October 2024, suggesting development activity began prior to public detection. The group operates across Windows, Linux, and additional server infrastructure (e.g., BSD/enterprise systems), encrypting files and deploying ransom notes that direct victims to attacker-controlled negotiation channels hosted on anonymity networks.

A defining characteristic is its use of double-extortion tactics: operators exfiltrate sensitive data prior to encryption and threaten public release via leak sites if ransom demands are not met. Iterative improvements to tooling and targeting since its emergence indicate Interlock is an active, maturing threat group rather than a one-off variant.

Objectives

Financial Gain

Known Infection Vectors

• Phishing/Social Engineering
• Valid Account Abuse (Credential Access)
• Exploitation of Public-Facing Applications
• Remote Services Exposure (RDP/VPN)
• Initial Access Brokers (IABs)
• Living-off-the-Land Lateral Movement Tools

References

#StopRansomware: Interlock (Joint Advisory AA25-203A) — CISA/FBI/HHS/MS-ISAC

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a

Interlock Ransomware: New Techniques, Same Old Tricks

https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks

Ransomware Roundup – Interlock

https://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock