Interlock ransomware evolving under the radar

April 16, 2025, 2:51 p.m.

Description

The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdoors, credential stealers, and a custom Remote Access Trojan. The group targets various sectors across North America and Europe, conducting Big Game Hunting and double extortion campaigns. Interlock has been observed improving their tools, including evolving their PowerShell backdoor and modifying their ransom notes to emphasize legal repercussions. The group's focus on maintaining relevance while avoiding large-scale visibility suggests a strategic approach to their operations.

External References

https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar
https://otx.alienvault.com/pulse/67ffb7eba715b936a2c4c2a8
Tags
ransomware
lumma
clickfix
double extortion
remote access trojan
2025-04-16
credential stealer
berserkstealer
interlock rat
interlock ransomware
fake updaters
powershell backdoor

Date

  • Created: April 16, 2025, 2 p.m.
  • Published: April 16, 2025, 2 p.m.
  • Modified: April 16, 2025, 2:51 p.m.

Attack Patterns

  • Interlock ransomware
  • BerserkStealer
  • Interlock RAT
  • LummaStealer
  • Interlock