The U.S. government has issued a critical cybersecurity advisory warning of increased activity by the Interlock ransomware group, whose attacks are impacting organizations across sectors, including healthcare, defense, education, and local government. The joint alert — issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) — highlights a significant escalation in threat activity throughout 2024 and into mid-2025.
A Growing Threat to Critical Infrastructure
First identified in September 2024, the Interlock ransomware group has quickly gained notoriety for its aggressive tactics, sophisticated capabilities, and apparent focus on high-value targets in North America and Europe. Recent campaigns have compromised major entities such as Kettering Health and National Defense Corporation, exfiltrating terabytes of sensitive data and severely disrupting operations.
The group operates under a double extortion model, where data is both encrypted and stolen prior to ransom negotiations. Victims face not only downtime and data loss, but also the threat of public exposure if ransoms are not paid.
Attack Techniques and Tools
Interlock’s operations are distinguished by their technical depth and social engineering sophistication. According to the advisory, attackers have employed a combination of advanced tooling and novel exploitation methods:
- Initial Access:
- Drive-by downloads from compromised legitimate websites.
- Social engineering methods branded as ClickFix and FileFix, which mislead users into executing malicious scripts disguised as technical support or identity verification processes.
- Persistence and Lateral Movement:
- Deployment of Remote Access Trojans (RATs) written in JavaScript and PHP.
- Extensive use of AnyDesk, PuTTY, and ScreenConnect for persistent remote access.
- Credential Theft & Data Exfiltration:
- Distribution of commodity infostealers such as Lumma Stealer and Berserk Stealer.
- Use of tools like AzCopy and WinSCP to exfiltrate gigabytes to terabytes of data to remote infrastructure.
- Encryption:
- Targeting of both Windows and Linux environments, including virtual machines, with payloads that append file extensions such as .interlock or .1nt3rlock.
- Delivery of ransom notes named
!__README__!.txt, directing victims to contact attackers via Tor-based onion services.
High-Profile Incidents
Interlock’s expanding list of victims includes:
- Kettering Health (Health Sector): Operations severely disrupted, with patient and organizational data leaked.
- DaVita: Approximately 1.5 TB of internal data exfiltrated.
- National Defense Corporation and AMTEC: Over 3.6 million sensitive files stolen, including defense engineering data.
- UK Universities and Government Agencies: Targeted through a customized Node.js RAT known as NodeSnake.
These attacks reflect a coordinated strategy targeting entities with national security implications and the potential to pay large ransoms under pressure.
