Interlock Ransomware Uses Evolving Tactics to Evade Detection

A new report by Sekoia Threat Detection & Research (TDR) details the activities of Interlock, a ransomware intrusion set first observed in September 2024, known for conducting Big Game Hunting and double extortion campaigns. While not classified as a Ransomware-as-a-Service (RaaS) group, Interlock operates a Data Leak Site (DLS) called “Worldwide Secrets Blog” to pressure victims.

Interlock operators employ fake browser or security software updaters hosted on compromised websites to gain access to target systems. These so-called installers are actually PyInstaller executables that launch PowerShell-based backdoors.

“This PowerShell script operates in an infinite loop, continuously executing HTTP requests,” the report explains. “It collects system information and offers functionality for executing arbitrary commands and establishing persistence.”

Later versions of this script—now up to version 11—add registry-based persistence and improved command-and-control (C2) logic using Cloudflare’s trycloudflare.com for dynamic tunneling. The script exfiltrates encrypted system info and downloads payloads via XOR-encrypted data from C2 servers.

In January 2025, Sekoia documented Interlock experimenting with ClickFix, a social engineering technique that prompts users to execute malicious PowerShell commands via spoofed CAPTCHAs or browser alerts. These fake prompts urge users to paste commands into a terminal to “fix” an issue—often leading to silent installation of malware. This tactic bypasses automated defenses by tricking victims into manually executing malicious commands.

Though the infrastructure supporting ClickFix appears dormant since February 2025, its use indicates active innovation in Interlock’s delivery mechanisms.

Interlock campaigns consistently use well-known credential-stealing malware, such as LummaStealer and BerserkStealer, often bundled with keyloggers and protected by custom packers. The group also deploys a proprietary Remote Access Trojan (RAT), packed into a DLL, which supports raw TCP communication and advanced command capabilities.

Each sample contains hardcoded IP addresses from VPS providers like BitLaunch, often chosen for their support of anonymous cryptocurrency payments.

Interlock operators commonly use RDP and stolen credentials for lateral movement within compromised networks. They often target domain controllers to gain widespread control. The group also employs tools like PuTTY, AnyDesk, and possibly LogMeIn for maintaining remote access. For data exfiltration, they have been observed using Azure Storage Explorer and the AZCopy tool.

Interlock ransomware exists in both Windows and Linux variants. The Windows variant encrypts files and drops ransom notes, with the content of these notes evolving over time.

“Interlock continued to improve their tools and methods, which reflects a willingness to maintain relevance while avoiding the large-scale visibility,” Sekoia concludes.

Related Posts:

• New Ransomware Tactics & Tools: An In-Depth Analysis of Emerging Threats
• Beware of Fake Google Meet Invites: ClickFix Campaign Spreading Infostealers
• CVE-2024-42057: Exploited by Helldown Ransomware to Target Linux

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts