FBI urges users to beware worrying Interlock ransomware attacks

News
By published

Financially-motivated ransomware group is quickly gaining notoriety

Code Skull
(Image credit: Shutterstock)
  • FBI, CISA, HHS, and MS-ISAC issue a joint statement on Interlock
  • They described the group's MO and usual tactics
  • The advisory details mitigation techniques, too

The Federal Bureau of Investigation (FBI) is urging organizations to beware of ransomware attacks from the increasingly-notororious Interlock ransomware group.

In a new security advisory, jointly published with the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC), Interlock was described as a financially-motivated ransomware group first spotted in September 2024.

The group usually targets businesses and critical infrastructure organizations in North America and Europe, engaging in the usual double-extortion tactic - stealing data, then encrypting systems to coerce victims into paying. It adds more pressure by threatening to release the files on the dark web, too.

Get Keeper's Personal Password Manager plan for just $1.67/month

Get Keeper's Personal Password Manager plan for just $1.67/month

Keeper is a password manager with top-notch security. It's fast, full-featured, and offers a robust web interface. The Personal Plan gets you unlimited password storage across all your devices, auto-login & autofill to save time, secure password sharing with trusted contacts, biometric login & 2FA for added security.

View Deal

Rich tech stack

Describing Interlock’s methodology, the agencies said they usually gain initial access through drive-by downloads from compromised websites, fake browser and security updates, or ClickFix tactics.

Once initial access is established, the crooks would drop a myriad of tools that would grant them different abilities: PowerShell-based remote access trojans (RAT) for access, Lumma, Berserk, and other keyloggers for credential theft, various registry key modifications for system info gathering, AnyDesk, PuTTY, or ScreenConnect for lateral movement, and CobaltStrike, SystemBC, and others for command-and-control.

Interlock has developed encryptors for both Windows and Linux, it was further explained, with files getting either a .interlock, or a .1nt3rlock extension. The group has no upfront demands, their ransom note only contains a Tor link for negotiations, which are usually capped to 96 hours.

The FBI also said that it spotted some overlaps with another ransomware group called Rhysida, suggesting potential team-ups, or simply using the same infrastructure.

To defend against Interlock, FBI and friends recommend businesses patch their systems and software, use DNS filtering and web firewalls, enforce multi-factor authentication (MFA) and strong access controls wherever possible, segment their networks to limit spread, and deploy robust EDR tools, especially for virtual machines.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.