Interlock Ransomware: New Techniques, Same Old Tricks
Essential information
- Published
- 30/01/2026 08:23
- Modified
- 30/01/2026 08:50
- Tags
- 2026-01-30 data exfiltration education sector hotta killer interlockrat lateral movement mintloader nodesnakerat persistence ransomware zero-day
- Related entities
- 1 vulnerabilities (cve), 8 observables, 1 intrusion sets (apt), 10 techniques (mitre), 4 malware, 25 others
Description
The Interlock ransomware group continues to target organizations worldwide, particularly in the UK and US education sector. Unlike other ransomware groups, Interlock operates independently, developing and using their own malware. This article details a recent intrusion, highlighting the group's ability to adapt techniques and tooling. The attack involved multiple stages, including initial access via MintLoader, use of custom malware like NodeSnakeRAT and InterlockRAT, and deployment of a novel process-killing tool exploiting a zero-day vulnerability. The adversaries used various techniques for persistence, lateral movement, and data exfiltration before ultimately deploying ransomware. The intrusion demonstrates the importance of threat hunting and integrating threat intelligence to identify compromises before significant impact occurs.