CISA, FBI Warn of Interlock Ransomware, Actively Targeting Businesses & Critical Infrastructure

In a new joint cybersecurity advisory issued on July 22, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has spotlighted the increasing threat of the Interlock ransomware. This alert is part of the U.S. government’s ongoing #StopRansomware campaign aimed at arming organizations with critical threat intelligence and mitigations to counteract rising ransomware incidents.

According to the advisory, Interlock ransomware actors have been active since September 2024, targeting a wide range of businesses and critical infrastructure sectors across North America and Europe. The threat actors are financially motivated and opportunistic, employing a double extortion model—encrypting systems after stealing data to maximize leverage on victims.

“FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups,” the advisory states. The attackers also deploy deceptive techniques such as ClickFix, a sophisticated social engineering ploy that tricks victims into running malicious PowerShell scripts by mimicking CAPTCHA prompts.

What sets Interlock apart is its wide array of tools and its platform-agnostic approach. The advisory warns that encryptors have been observed targeting both Windows and Linux virtual machines, and in some instances, FreeBSD environments—a rarity in the ransomware ecosystem.

Among the key tools in the Interlock arsenal are:

• Cobalt Strike and SystemBC for command-and-control operations
• Lumma Stealer and Berserk Stealer for credential harvesting
• AnyDesk, PuTTY, and ScreenConnect for lateral movement and persistence
• AzCopy and WinSCP for exfiltrating data to cloud storage and external servers

Notably, the ransomware encryptors use a combination of AES and RSA encryption and leave behind a ransom note titled !__README__!.txt, directing victims to contact the group via a Tor-based .onion URL. Unlike many ransomware groups, Interlock actors do not initially specify ransom amounts or payment instructions, further complicating response efforts.

Victims of Interlock have included organizations in healthcare, education, and other critical sectors. “Encrypted files are appended with either a .interlock or .1nt3rlock extension,” and the attackers often follow through on threats to leak data, the advisory warns.

Adding to the danger, Interlock shares code and behavioral traits with Rhysida ransomware, raising concerns about potential collaborations or code reuse among cybercriminal groups.

The advisory includes a comprehensive mitigation plan aligned with CISA and NIST’s Cybersecurity Performance Goals (CPGs). Key recommendations include:

• Implement DNS filtering and web firewalls to prevent access to malicious domains
• Require MFA and strong password practices across all services
• Deploy robust endpoint detection and response (EDR) systems, especially for virtual machines
• Segment networks to hinder lateral movement
• Ensure all systems are patched and up to date, particularly internet-facing applications

CISA also recommends validating security controls against MITRE ATT&CK techniques observed in Interlock incidents, encouraging defenders to simulate attacks and refine their detection and response mechanisms accordingly.

Related Posts:

• From Fake Updates to Data Exfiltration: Inside Interlock Ransomware’s Operations
• Interlock Ransomware Uses Evolving Tactics to Evade Detection
• Interlock RAT Gets PHP Makeover: New Variant Uses Steganography & ClickFix for Stealthy Infiltration
• Interlock Ransomware Hits U.S. Defense Contractor AMTEC in Espionage-Driven Data Breach
• Interlock Ransomware: New Threat Targets Windows & FreeBSD