Interlock Ransomware Strikes: A New Strain Is Wrecking Havoc in North America and Europe

The AhnLab Security Emergency Response Center (ASEC) has published new research on the Interlock ransomware group, which has been conducting continuous attacks against organizations across multiple industries and critical infrastructure sectors in both North America and Europe since late 2024.

According to AhnLab, “Interlock ransomware group first emerged at the end of September 2024, and has been continuously attacking various businesses and critical infrastructures in North America and Europe.”

Like many modern ransomware gangs, Interlock combines double extortion tactics—encrypting files and exfiltrating sensitive data, then threatening public leaks if victims refuse to pay. Their darknet leak site (DLS) actively publishes stolen data from non-compliant organizations.

The ransomware is notable for its sophisticated encryption model, which makes recovery nearly impossible without the attacker’s private key. AhnLab explains: “Interlock ransomware uses the AES-256-GCM (Galois/Counter Mode) algorithm to encrypt files. The symmetric key and initial value IV are encrypted using RSA-4096 public key and inserted at the end of the file.”

The encryption is based on the OpenSSL library, which provides robust key management and efficient processing. Importantly, no network communication occurs during encryption, meaning forensic investigators find no local decryption clues left behind.

The malware conceals its main code through obfuscation and runtime patching, allowing it to evade detection until execution. Once active, it can encrypt:

• All drives and symbolic links by default.
• Specific folders or files, if given arguments such as -d (folder path) or -f (file name).
• With -r enabled, it forcibly encrypts files and terminates processes holding them open.

To avoid system crashes, the ransomware excludes specific folders (e.g., Windows, ProgramData, System Volume Information) and file types (e.g., .exe, .dll, .sys) from encryption. Encrypted files receive the “.!NT3RLOCK” extension, and ransom notes named OPEN_BEFORE_ANYTHING.txt are left behind.

The ransom note directs victims to a Tor-based negotiation portal and warns of potential violations of GDPR, HIPAA, GLBA, and other compliance regulations if data leaks occur.

AhnLab stresses the importance of strong backup and recovery strategies, noting: “To prepare for ransomware, users must back up important data to an offsite separated from the service network, and perform access control on the backup storage and regular recovery drills.”

Related Posts:

• Interlock Ransomware Strikes: eSentire Exposes Multi-Stage Payload and ClickFix Social Engineering
• Interlock Ransomware: New Threat Targets Windows & FreeBSD
• From Fake Updates to Data Exfiltration: Inside Interlock Ransomware’s Operations
• Interlock Ransomware Uses Evolving Tactics to Evade Detection
• Interlock RAT Gets PHP Makeover: New Variant Uses Steganography & ClickFix for Stealthy Infiltration

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy