Interlock Ransomware Targeting Businesses

Sept. 1, 2025, 8:32 a.m.

Description

The Interlock ransomware group has been actively targeting businesses and critical infrastructures in North America and Europe since September 2024. Their ransomware employs AES-256-GCM encryption with RSA-4096 key protection, leveraging the OpenSSL library for efficient file encryption. The malware includes code obfuscation techniques and specific arguments for various behaviors. It excludes certain folders, file extensions, and files from encryption to avoid system damage. The ransomware changes file extensions to '.!NT3RLOCK' and may terminate processes during encryption. Interlock's operations involve data theft and public disclosure threats for ransom leverage. The group utilizes a Tor-based negotiation site and references legal regulations to pressure victims. To counter this threat, offsite data backups and regular recovery drills are recommended.

External References

https://asec.ahnlab.com/en/89912
https://otx.alienvault.com/pulse/68b20b7055ffeacc23cb94c9
Tags
ransomware
data theft
europe
interlock
file encryption
code obfuscation
2025-08-29
openssl
north america
aes-256-gcm
rsa-4096

Date

  • Created: Aug. 29, 2025, 8:20 p.m.
  • Published: Aug. 29, 2025, 8:20 p.m.
  • Modified: Sept. 1, 2025, 8:32 a.m.

Attack Patterns

  • Interlock
  • Interlock

Additional Informations

  • United States of America