Hackers are abusing 'FileFix' technique to drop RATs during ransomware attacks

News
By published

ClickFix evolved to FileFix, but the results are the same

Ransomware
Image Credit: Shutterstock (Image credit: Shutterstock)
  • FileFix is a new technique to deploy malware, born out of ClickFix
  • It works by tricking users into pasting commands into File Explorer
  • The resulting compromise leads to Interlock encryptors

The dreaded ClickFix malware deployment technique has evolved, and the new variant - dubbed ‘FileFix’ - is being used in ransomware attacks.

ClickFix is a technique in which victims are presented with a fake problem (for example, a fake CAPTCHA, or a fake virus infection alert), and then provided with a fix. That “fix” usually revolves around pasting a command into the Windows Run program that was copied to the clipboard through the compromised website’s JavaScript.

The command, in most cases, is to download and run a piece of malware.

Interlock ransomware

Now, FileFix builds on that foundation. Instead of pasting commands into Run, victims are told to paste a copied string into File Explorer's address bar. Thanks to comment syntax, the string looks like a file path but is, in fact, a PowerShell command.

In a few attacks which the researchers spotted in the wild, running this command through File Explorer delivers a PHP-based variant of Interlock Remote Access Trojan (RAT).

This RAT executes a number of different commands, including gathering system and network information. It also enumerates Active Directory, checks for backups, navigates local directories, and examines domain controllers. Ultimately, the RAT can deploy the Interlock ransomware encryptor.

Interlock first emerged in late September 2024, with public detection in November 2024. It gained attention for its novel FreeBSD-targeting encryptors alongside Windows variants.

Among its more notable victims are Wayne County, Michigan, Texas Tech University Health Sciences Center, Heritage Bank & McCormick–Priore, and Kettering Health.

It is known for using the standard double-extortion tactic, exfiltrating sensitive company files before encrypting the systems.

As of mid-2025, Interlock has claimed about 14 known attacks, roughly one-third in healthcare. This change in delivery tactics suggests the ransomware is being actively developed, and that it will continue to pose a major threat to organizations around the world.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.