Interlock ransomware evolving under the radar

SUMMARY :

The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdoors, credential stealers, and a custom Remote Access Trojan. The group targets various sectors across North America and Europe, conducting Big Game Hunting and double extortion campaigns. Interlock has been observed improving their tools, including evolving their PowerShell backdoor and modifying their ransom notes to emphasize legal repercussions. The group's focus on maintaining relevance while avoiding large-scale visibility suggests a strategic approach to their operations.

OPENCTI LABELS :

remote access trojan,lumma,powershell backdoor,fake updaters,credential stealer,double extortion,berserkstealer,clickfix,ransomware,interlock ransomware,interlock rat


AI COMMENTARY :

1. The Interlock ransomware group first emerged in September 2024, capturing analysts’ attention with tactics that belie the low number of recorded victims. Brandishing a moniker that evokes complex machinery in motion, Interlock has positioned itself as a stealthy but adaptive threat actor. By operating below the usual noise threshold, this group cultivates an aura of under-the-radar potency, which they leverage to refine and redeploy their tools without drawing the scrutiny typically reserved for high-profile ransomware operations.

2. Initial access is achieved through carefully crafted fake browser updates that deliver a customized PowerShell backdoor under the guise of legitimate software maintenance. This technique, alongside the proprietary ClickFix method, grants Interlock operators a foothold within target networks. Once the backdoor is established, they deploy credential stealers such as BerserkStealer to harvest domain credentials and escalate privileges without triggering widespread alerts.

3. The multi-stage attack chain employed by Interlock weaves together remote access trojan deployments and in-memory payloads to maintain persistence. After exfiltrating critical credentials, the group introduces a bespoke Remote Access Trojan—commonly referred to as the Interlock RAT or Lumma variant—to orchestrate lateral movement and data extraction. Concurrently, they fortify their presence with iterative updates to their PowerShell backdoor, ensuring each callback morphs just enough to evade signature-based detection.

4. Interlock’s targeting profile spans key sectors across North America and Europe, with a strong emphasis on Big Game Hunting. By focusing on high-value organizations—from manufacturing plants to financial institutions—they maximize the impact of their eventual double extortion campaigns. Stolen data is exfiltrated in stealth before ransomware encryption commences, and victims receive ransom notes that have evolved to underline potential legal repercussions for exposing sensitive information.

5. Continuous evolution defines Interlock’s operational mindset. Their credential stealer modules have been refined to bypass modern endpoint protections, and the ratcheting of ransom note language demonstrates a keen psychological acumen. Each iteration of their ransom note now references compliance and liability statutes to sow doubt and pressure negotiation teams into rapid payment. This gradual sophistication speaks to a long-term strategy of relevance rather than headline-grabbing volume.

6. Interlock’s strategic choice to remain comparatively invisible highlights a novel approach to ransomware campaigns. By avoiding widespread victim disclosure, they deny defenders the threat intelligence that fuels community-wide countermeasures. Organizations must therefore prioritize anomaly detection for fake updaters and PowerShell callbacks, while integrating threat hunting for unseen remote access trojan traffic. Only through proactive visibility can security teams disrupt Interlock’s stealthy ascent.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Interlock ransomware evolving under the radar