A Year Later, Interlock Ransomware Keeps Leveling Up

In one year, Interlock evolved from an unknown entity developing yet another “infostealing” Remote Access Trojan (RAT) into an emergency-level threat to organizations in healthcare, government, and manufacturing.

We started tracking Interlock in September 2024. We labelled their first intrusions as Chaya_002, which later proved to be a Traffic Distribution System (TDS) – a key component in Interlock’s double-extortion ransomware operations.

One year later, the group has claimed over 60 victims – over 50 in 2025 alone – distributed as follows.

Interlock continues to evolve by diversifying initial access methods while maintaining consistent post-exploitation leveraging cloud-native data exfiltration and cross-platform encryption.

Here, we revisit their history and analyze their current tactics, techniques, and procedures (TTPs), including: a dangerous combination of social engineering, legitimate or administrative tool abuse, rapid dwell times of 15-24 days on average, and use of trusted cloud services for exfiltration. Based on this analysis, we provide risk mitigation recommendations, including threat detection and hunting opportunities.

 

Interlock Evolution and Current TTPs

The earliest confirmed Interlock incidents established several technical signatures that persist throughout their operations, including Cloudflare tunnel services (via trycloudflare.com domains) for command and control (C2) and backup infrastructure hosted on BLNWX and Hetzner autonomous systems.

Using the diamond model, we dive deep into Interlock’s first year of existence using these signatures—and dividing operations into three phases:

• Phase 1 – Emergence (September – October 2024)
  • Adversary: Unknown actor with financial motivation and medium sophistication
  • Capability: Basic PowerShell backdoor focused on credential theft
  • Infrastructure: Cloudflare tunnels with hardcoded backup IPs
  • Victims: Opportunistic targeting with limited scale
• Phase 2 – Capability Expansion (October 2024 – January 2025)
  • Adversary: “Interlock” name emerges, organized team suspected
  • Capability: Multi-language RAT family with sophisticated reconnaissance
  • Infrastructure: Previous core kept and Azure exfiltration added
  • Victims: Healthcare/government targeting pattern emerges
• Phase 3 – Operational Maturity (since February 2025)
  • Adversary: Adoption of RaaS model and possible link with other groups
  • Capability: Full attack lifecycle and cross-platform encryption
  • Infrastructure: Mature, redundant, cloud-native
  • Victims: Confirmed big-game hunting pattern

The table below summarizes their current TTPs. In the next section we analyze the most relevant ones in detail to describe their current attack lifecycle.

 

TTP/Attack Lifecycle Analysis

TA0001 – Initial Access

Interlock uses two main initial compromise methods to ensure a continuous flow of new victims: social engineering and credentials acquired via initial access brokers (IABs).

Social Engineering

The threat actor usually delivers a similar PowerShell backdoor – sometimes with hardcoded decryption passwords – via two social engineering techniques:

• Compromised websites. In Phases 1 and 2, starting in September 2024, they used a TDS targeting websites of local news, small businesses and community forums to serve malicious JavaScript that triggered fake update prompts or application error messages for Chrome, Teams and other business software. By February 2025, at the beginning of Phase 3, they also impersonated remote connectivity software such as FortiClient VPN and Cisco AnyConnect.
• ClickFix and FileFix. This vector is an recent trend among several threat actors and it was added to Interlock’s tradecraft by March, already in Phase 3. In ClickFix attacks, victims encounter fake CAPTCHA prompts or messages asking to “fix a browser error” by opening the Run dialog then pasting and executing a provided command. The command executes PowerShell to download and run a backdoor. In the FileFix variant, users are asked to paste commands into the File Explorer address bar, with the same effect.

The delivered backdoor is the custom “Interlock RAT” detailed in the next section. In one Interlock intrusion via ClickFix detailed publicly in May 2025, the commodity loader SocGholish was reportedly installed. We have not observed this first-hand. Details are in the “connections to other cybercriminal groups” section below.

Credentials Acquired via IABs

Credentials acquired via IABs often provide Interlock operators with immediate privileged access to targets, bypassing the need for privilege escalation, reducing dwell time, and enabling operation through legitimate access methods. Time between credential purchase and encryption deployment averages two to three weeks on observed incidents.

Intrusion patterns suggest that Interlock purchases administrative VPN credentials, RDP access to domain-joined systems, Microsoft 365 credentials with global administrator or privileged roles, and privileged service accounts with Kerberos authentication.

Following successful access via this method, the threat actor deploys commodity C2 frameworks such as Cobalt Strike beacons configured with standard malleable C2 profiles, SystemBC proxy malware enabling additional C2 channels, keyloggers, and custom “Interlock RAT” variants.

TA0002 – Execution and TA0003 – Persistence via “Interlock RAT”

Regardless of initial access vector, Interlock operations have consistent execution and persistence via the custom “Interlock RAT” and abuse of Windows native functionality. This suggests centralized post-exploitation even if initial compromise occurs through multiple affiliate or partnership channels.

“Interlock RAT” is a family of functionally-similar but technically-distinct RATs. There are at least four major variants, each in a different language which are likely to evade signature-based detection and adapt to different targets:

• PowerShell. The primary first-stage implant deployed through social engineering. Upon execution, it downloads an additional PowerShell script and profiles the system via systeminfo, lists running processes (tasklist), services, installed software, desktop files, drives, ARP cache entries, RDP connection records (event ID 1149), network connections (netstat), login/logout events and browser history and bookmarks. All output is stored in JSON in individual .txt files (such as tasklist.txt and arp.txt) inside a timestamped directory C:\Users\$env:username\AppData\Local\Temp\$dirName; $dirName = (Get-Date).ToString( "dd-MM-yyyy_HH-mm-ss" ) for automated processing and exfiltration to C2. The C2 implementation abuses Cloudflare Tunnel service with hardcoded backup IP addresses in BLNWX and Hetzner ranges. For persistence, it creates both startup folder shortcuts and registry Run key entries.
• Java. Not observed firsthand, but it was reported by the industry as active in January. The choice of Java suggests experimentation with language diversification for evasion, cross-platform targeting (though reported deployments focused on Windows) or use by a different team. Functional capabilities are consistent with other variants.
• Node.js. This full-featured variant – also known as NodeSnake and reported in June – implements a modular architecture with no identified relation to public codebases, indicating completely custom development. It extends capabilities to include file upload and download, process management with injection and hollowing, credential harvesting via custom and commodity stealers, and screenshot capture. This variant is a second-stage persistent access mechanism. Persistence is achieved via Reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v “ChromeUpdater” /t REG_SZ /d “[path_to_script]” /f
• PHP. First appeared in July 2025. PHP is an uncommon language for client-side malware because it requires the installation of a PHP runtime. Interlock accomplishes that by deploying portable PHP binaries with the initial backdoor. Despite language differences, the core functionality mirrors other variants including file system access, command execution, and encrypted communication with C2 infrastructure. Apart from the change in runtime executable, all capabilities are similar to NodeSnake.

All RAT variants automatically inspect the system and scan for lateral movement targets using built-in Windows commands and PowerShell, including:

• systeminfo for operating system version
• net group “domain admins” to identify privileged accounts
• quser to enumerate active user sessions
• sc query sense to check for Microsoft Defender ATP sensor status.
• Get-PSDrive to identify available file shares
• Get-NetNeighbor to discover other network hosts
• tasklist with service enumeration to identify security software and business applications

This output may be automatically analyzed to identify high-value targets, including: domain controllers through AD role enumeration, backup systems through service and share enumeration, database servers through named instance discovery, and virtualization infrastructure through VMware service detection.

One additional PowerShell script we observed ran as a background job to inventory all local groups, enumerate all members of each local group using Active Directory Service Interfaces (ADSI WinNT:// paths). For each group member, it identifies a username or computer name, unique SID (Security Identifier), Local, ActiveDirectory, or EntraID, and several other properties.

TA0006 – Credential Access

After execution, Interlock deploys both commodity and custom infostealers to escalate privileges and enable lateral movement. Observed tools include:

• Lumma Stealer configured to extract passwords from Chrome, Edge, and Firefox. The actor harvests passwords for cloud services including Microsoft 365 webmail, VPN portals, cloud service provider consoles, and administrative portals.
• Berserk Stealer targeting cryptocurrency wallet files and browser extension data. This appears opportunistic, potentially supporting separate financial crime operations or providing additional revenue streams beyond ransomware payments.
• A custom keylogger loaded via rundll32.exe with filenames like klg.dll that records keystrokes and window titles for manual credential extraction

Two credential access techniques used by the actor deserve special mention:

• Microsoft 365 session hijacking. Interlock uses infostealers to harvest authentication tokens for Microsoft 365 services from browser memory or stored session files. These tokens for authenticated sessions allow the attacker to impersonate users without knowing passwords or completing MFA challenges (since they were already completed by the user during authentication). The stolen tokens are then validated by enumerating the compromised account’s cloud permissions, including global administrator roles, SharePoint site access, Exchange mailbox delegation, and Teams channel memberships.
• Active Directory (AD) Credential Theft. Interlock employs AD credential theft techniques focusing on Kerberos exploitation and memory-based credential extraction. Kerberoasting attacks target service principal names associated with domain user accounts, requesting service tickets containing hashes encrypted with the service account’s password. We also observed the actor reactivating Windows Guest accounts – usually disabled in enterprise environments – for persistence. They enable the guest account with a new password, add it to the local administrators’ group, and persist it via the registry. These guest accounts enable lateral movement, are rarely monitored, and their persistence survives deletions of initially compromised domain users.

TA0008 – Lateral Movement

Armed with credentials, Interlock targets high-value systems, including domain controllers providing AD access, group policy deployment capabilities, file servers, backup systems, and VMware ESXi hosts with dozens of virtual machines.

The threat actor moves across the network using Windows-native tools and administrative protocols, as well as abused legitimate tools:

• Remote Desktop Protocol (RDP) is a primary mechanism for lateral movement and tool deployment on target systems. Used via mstsc /v: x.x.x.x
• Windows Remote Management (WinRM) and PowerShell Remoting (PSRemoting) enable command execution for reconnaissance and automated exploitation
• PsExec facilitates file transfer and remote service creation along with RDP
• Advanced-port-scanner is downloaded from advanced-port-scanner[.]com/es/ into a SMB share accessible by the actor and used for lateral movement
• Putty and Posh-SSH are downloaded on Windows hosts and used for lateral movement to non-Windows hosts, such as ESXi servers, via puttyportable.exe -ssh [email protected] -pw 'xxx' – where xxx is a unique password used to target ESXi systems and is consistent across intrusions.

TA0010 – Exfiltration

Exfiltration usually occurs between 72 and 96 hours before ransomware deployment to minimize detection opportunities. More recent intrusions use a ‘smash-and-grab’ approach with full-speed exfiltration and no throttling or filtering which suggests they are either affiliates with lower skills or face time pressure to avoid  detection.

Interlock abuses legitimate cloud utilities to exfiltrate data and evade network monitoring, which is usually limited to file transfer protocols:

• AzCopy – the official Azure Storage data transfer utility – is used to transfer in bulk sensitive files to Azure Storage accounts. This has several advantages for the attacker, including a legitimate Microsoft signature bypassing application whitelisting, encrypted HTTPS transfer blending with normal cloud service traffic, high-speed parallel transfer, and Azure infrastructure providing reliable storage.
• Azure Storage Explorer provides a GUI alternative to AzCopy for manual data selection and transfer, especially while identifying high-value targets before bulk exfiltration.
• Cloudflare tunnel domains are used for exfiltration of smaller datasets and real-time reconnaissance output. The same trycloudflare.com infrastructure used for C2 doubles as an exfiltration channel for RAT-collected data including system profiles, credentials, and screenshots.

TA0005 – Defense Evasion

Prior to ransomware deployment, Interlock operators:

• Disable EDR solutions using vulnerable drivers (BYOVD)
• Uninstall or modify other security controls to disable features such as real-time protection, cloud connectivity, and automated remediation

TA0040 – Impact

Interlock typically disrupts business operations while maintaining the victim’s ability to pay the ransom and recover systems. The actor leverages enterprise administrative tools and infrastructure for rapid domain-wide encryption:

• Create new Group Policy Objects (GPOs) or modify existing ones to deploy scheduled tasks and execute the Interlock encryptor across hundreds or thousands of domain-joined systems simultaneously
• Use PsExec to encrypt systems without domain-wide GPO creation, since that might trigger security alerts
• Use Windows Management Instrumentation (WMI) to encrypt systems where PsExec fails or administrators disable remote service creation

Encryptor deployment follows a sequence. First, operators destroy backup systems and volume shadow copies using vssadmin delete shadows. Second, they use putty or plink.exe (PuTTY Link) to connect to ESXi hosts via SSH, authenticate using credentials stolen earlier and deploy the Linux variant of the encryptor to encrypt virtual machines at the hypervisor level. Third, domain-wide GPO deployment encrypts workstations and servers simultaneously. Fourth, domain controllers are encrypted last, so there will be operational disruption while maintaining sufficient infrastructure for ransom negotiation and potential delivery of the decryption key.

The Interlock encryptor uses a custom packer with in-memory code patching to evade static analysis and signature-based detection. It also integrates the OpenSSL library to bypass Windows CryptoAPI calls that may be monitored.

Cross-platform compilation produces native executables for Windows, Linux, ESXi, and FreeBSD. The latter is becoming more common with ransomware families. Interlock’s BSD encryptor generates an RSA key pair when it first executes using function rsa_make_key_bn_e with CBC mode and spawns multiple threads for parallel encryption. These threads enumerate files ( opendir(/proc)), encrypt all files except the ones in checkExceptDir and create lock files (.interlock).

After encryption, the binary drops a ransom note.

Ransom note

Interlock ransom notes contain standard double-extortion messaging including Tor-based communication channels for anonymity, unique victim identifiers for negotiations, data theft confirmation with sample file listings, and escalation threats including public data release and notification of customers or regulatory bodies. The communication tone is characteristic of business-focused ransomware operations with emphasis on this being a “security alert” rather than a disruption, though messages emphasize consequences of nonpayment including legal liability for customer data exposure and regulatory penalties under GDPR, HIPAA, or other frameworks.

 

Connections to Other Cybercriminal Groups

Both our first-hand observations and other industry reporting suggest Interlock’s connections with other cybercriminal groups:

• The use of the commodity loader SocGhlolish in at least one incident suggests that Interlock’s operators might have partnered with or have an affiliate who normally uses SocGholish instead of “Interlock RAT”. In that incident, attackers used NetSupportRAT as an intermediate staging platform between SocGholish and Interlock RAT. NetSupportRAT provides several operational advantages: the tool is legitimately signed, it is trusted by many security solutions, it implements automatic startup mechanisms and it enables clean handoff between SocGholish operators and Interlock teams.
• Interlock and Rhysida ransomware variants use nearly identical exclusion lists, including identical ordering of hardcoded directory paths and file extensions. Interlock could represent a direct Rhysida rebrand, a splinter group formed by former Rhysida operators, or acquisition of Rhysida toolsets by new operators.
• Some reports cluster the Supper RAT with Interlock RAT. Supper is associated with the threat actor Vanilla Tempest (responsible for the Vice Society ransomware). While there is no direct evidence of Interlock using Supper, both Interlock and Vice Society have been associated with Rhysida at different times, suggesting possible overlaps in the broader cybercriminal ecosystem.

 

Detection and Hunting Recommendations

The analysis above shows that Interlock has become a sophisticated threat that requires targeted organizations to ensure their threat detection and hunting capabilities can prevent and respond to potential attacks.

The table below presents again Interlock’s common TTPs, now highlighting the detection and hunting opportunities available due to their actions during intrusions. Those detections require a combination of network and endpoint signals, especially PowerShell and Windows event logging to detect malicious scripts. Advanced threat detection and response tools, such as eyeAlert, can correlate this type of information to find true threats and enable response.

 

One technique we described above that is particularly difficult to detect is Microsoft 365 session hijacking. This requires behavioral analysis rather than authentication failure monitoring. Key indicators include anomalous logins from geographic regions inconsistent with user’s normal patterns, logins without corresponding MFA events in logs, token refresh patterns showing timing or frequency inconsistent with human behavior, administrative actions performed from accounts lacking administrative role assignments, and concurrent sessions from impossible travel locations where time elapsed between logins prevents physical travel between locations.

Due to the difficulty in preventing these hijacking attacks, we recommend that organizations deploy risk-based conditional access policies.

Beyond the individual TTPs shown on the table, we can expand on threat hunting hypotheses for the following composite behaviors:

• Initial access via social engineering. We expect to see PowerShell logs showing encoded commands with explorer.exe or cmd.exe as parent processes, registry Run key creation for ChromeUpdater or similar names, and immediate outbound connections to trycloudflare.com. Hunt for these in: PowerShell logs, process creation, registry modifications, DNS query logs, and web proxy logs for JavaScript loading patterns from trusted sites.
• Initial access via VPN/RDP credentials. We expect to see Azure AD sign-in logs showing successful authentications without corresponding MFA events, impossible travel patterns in authentication logs, rapid deployment of remote access tools within 24 hours of successful login, and potential bypass of MFA enforcement through legacy authentication protocols or application passwords that are not covered by conditional access policies. Hunt for these in: Azure AD sign-in logs, VPN authentication logs, Logon RDP,  process creation, and Azure AD legacy authentication reports.
• C2 via Cloudflare tunnel. We anticipate DNS queries to trycloudflare.com, sustained HTTPS connections to these domains from PowerShell, node.exe, or php.exe, and fallback connections to BLNWX or Hetzner IPs if Cloudflare tunnels fail. Hunt for these in: DNS logs, firewall connection logs, network connections, and proxy logs by distinguishing tunnel domains from CDN traffic.
• Custom RAT deployment. We expect to see node.exe executing with encoded command-line arguments containing systeminfo and reconnaissance scripts, php.exe in AppData\Local\Temp directories, rundll32.exe loading suspicious DLLs with “start” parameter from C:\ or temporary locations, and potential abuse of legitimate environments where Node.js, PHP, and Java executions are common. Hunt for these in: process creation with full command lines, file creation events in Temp/AppData directories, and user context analysis (developer vs. non-developer systems).
• PowerShell reconnaissance and ADSI enumeration. We anticipate seeing PowerShell logs containing reconnaissance commands: systeminfo, net group "domain admins", quser, sc query sense, ADSI enumeration via WinNT:// provider to extract local group memberships, creation of timestamped files in %TEMP% like tasklist.txt and services.txt. Hunt for these in: PowerShell logs, file creation in Temp directories, process creation logs for net.exe commands, with focus on  execution patterns and correlation with users’ typical behavior baseline.
• Microsoft 365 session hijacking. We expect to see infostealer process execution or network connections to known infostealer C2 infrastructure, file access to browser credential stores (Login Data, cookies, Local State files) by non-browser processes, followed by Azure AD sign-in logs showing administrative actions from accounts without admin roles, impossible travel scenarios where token usage occurs from geographically distant locations, and token replay attacks. Hunt for these in: file access monitoring, Azure AD sign-in logs for anomalous token patterns, M365 audit logs, and correlation between browser file access and subsequent Azure AD authentications from unusual locations.
• Data exfiltration. We anticipate seeing AzCopy.exe execution, command-line arguments containing Azure Storage URLs to external tenants, and high-volume data transfers to Azure Blob Storage endpoints over a 24 to 48 hour period. Hunt for these in: Process creation logs for azcopy.exe with full command lines, network flow data for transfers to *.blob.core.windows.net, with analysis of transfer rates and timing compared to legitimate usage windows.
• ESXi targeting. We expect to see plink.exe or puttyportable.exe execution with SSH parameters targeting internal ESXi IPs, PowerShell installing Posh-SSH modules outside normal usage, authentication logs showing SSH login attempts, potential file transfers of FreeBSD-compiled encryptors to /tmp directories on ESXi hosts, and SSH connections originating from compromised jump hosts. Hunt for these in: Process creation logs for plink.exe with command-line parameters, PowerShell module installation logs, ESXi logs for SSH authentication, and network flow analysis for SSH connections from unexpected Windows endpoints.
• AD credential theft and lateral movement. We anticipate seeing Kerberos service ticket requests from non-standard accounts, Guest account reactivation via net user guest /active:yes and addition to Administrators group, lateral movement via RDP or PsExec service creation with random service names. Hunt for these in: security event logs for Kerberos anomalies,  process access logs, account management events, lateral movement authentication patterns, and correlation with service account password age from AD audit data.

 

Detection and Hunting Artifacts

The script excerpts below are taken from intrusions we analyzed and can help to detect or hunt for Interlock activities.

• ESXi access pattern:
  
• Interlock RAT PowerShell code to collect running services and installed software:
  
• NodeSnake execution:
  
• Execution of conhost.dll via legitimate task name abuse (Microsoft\Windows\Defrag\ScheduledDefrag):