Interlock and Rhysida Ransomware: IBM X-Force Maps a Shared Ecosystem

A two-year look at a shared ransomware ecosystem

IBM X-Force has released long-term research into the Interlock and Rhysida ransomware ecosystem. The study spans more than two years of malware tracking and third-party reporting. Together, the findings expose deep links between initial-access brokers, crypters, downloaders, and backdoors.

Interlock, tracked as Hive0163, has run ransomware operations since September 2024. Unlike many rivals, it does not appear to work as a Ransomware-as-a-Service platform. Instead, the group leans on a large custom toolkit. Rhysida, by contrast, has operated as a RaaS since at least May 2023.

According to the report, each group claimed roughly 80 victims in 2025. Moreover, most of those victims sat in the United States. Education led Interlock’s hit list, while manufacturing topped Rhysida’s.

Why researchers see a possible lineage

The connection is not fresh speculation. Earlier, Cisco Talos assessed with low confidence that Interlock is likely “a new diversified group that emerged from Rhysida ransomware operators or developers.” X-Force’s analysis now adds technical weight to that theory.

In its conclusion, the team states the research “indicates a relationship or lineage between Interlock and Rhysida actors.” However, the exact nature of that bond stays unclear. Both groups still run distinct campaigns, yet they overlap in meaningful ways.

Shared malware ties the groups together

The clearest overlap is the Supper backdoor, also called SocksShell or WINDYTWIST. Notably, Supper appears in confirmed incidents for both Interlock and Rhysida. It first surfaced in July 2024, predating the group’s other custom tools.

X-Force also found strong code similarities across NodeSnake, InterlockRAT, and the JunkFiction downloader. These families likely share an original codebase or common developers. NodeSnake usually acts as the first-stage downloader. Afterward, InterlockRAT delivers a full backdoor with reverse shell and SOCKS5 proxy features.

Crypters add another layer

Private crypters reveal further relationships. Interlock favors the JunkFiction crypter, while Rhysida actors prefer Tomb, also tracked as TextShell or pkr_mtsi. Because these crypters stay exclusive, their reuse helps researchers map trusted providers and their clients. As a result, a single crypted sample can quietly expose an entire supply chain.

Access brokers and edge-device exploitation

Initial-access brokers remain the key enabling layer. For instance, X-Force ties Interlock activity to TAG-124, also known as LandUpdate808 and KongTuke. This traffic distribution system has repeatedly delivered payloads through ClickFix lures and trojanized installers.

Interlock has also moved toward exploiting network edge devices. In March 2026, Amazon threat intelligence documented an intrusion that exploited CVE-2026-20131. That flaw is a critical, unauthenticated deserialization bug in Cisco Secure Firewall Management Center. When exploited successfully, it grants remote code execution as root.

Separately, the group used a local privilege-escalation exploit based on CVE-2023-36036, a Windows CLFS flaw. X-Force found a closely matching implementation on an Interlock staging server in early 2026.

Inside Interlock’s staging servers

X-Force analyzed payloads on servers likely run by Hive0163. The arsenal mixed legitimate software, open-source tooling, and custom malware. Consequently, the group looks both broad and highly adaptable.

The servers held utilities such as AZcopy, Advanced Port Scanner, Certify, and several credential stealers. Investigators also recovered a custom Windows Defender Application Control policy. Cleverly, that policy allowed the group’s own malware while blocking Defender, SmartScreen, and Sophos components. In other words, the actors rewired the host’s defenses before deploying ransomware.

What defenders should take away

The research carries a clear lesson for security teams. Blocking only the final ransomware binary arrives far too late. Instead, defenders must watch the full chain of brokers, downloaders, crypters, and staging servers.

Several practical steps help here. Teams should monitor for ClickFix-style browser prompts and suspicious PowerShell execution. Additionally, they should review remote-management tools like ConnectWise ScreenConnect for unauthorized use. Finally, isolating affected systems quickly can stop lateral movement through RDP and SOCKS5 tunnels.

Above all, the Interlock and Rhysida ransomware story shows how modern crime runs on a shared economy. Brokers, loaders, and private crypters now form the backbone of both operations. Therefore, treating either group as a lone actor underestimates the wider threat.