The FBI has issued a warning about the Interlock ransomware group, which has been targeting critical infrastructure and businesses across North America and Europe since late September 2024.

Since its emergence, Interlock has been involved in financially motivated attacks using both Windows and Linux systems, including virtual machines, with a noted increase in attack frequency.

The group employs sophisticated initial access techniques such as drive-by downloads from compromised websites, social engineering methods like ClickFix, and malware disguised as fake browser updates.

Once inside, Interlock deploys tools like PowerShell-based remote access trojans, keyloggers, and web shells to maintain control and facilitate lateral movement within networks.

Organizations are advised to strengthen defenses by monitoring network activity, using antivirus software, disabling unused ports, and enforcing strong identity management policies including multifactor authentication.

Recent advisories, developed with agencies like the Department of Health and Human Services, provide indicators of compromise and strategies to defend against these evolving threats.

Authorities continue to develop decryption tools and legal actions, providing ongoing guidance to help organizations defend against ransomware threats like Interlock.

Interlock uses Remote Access Trojans and PowerShell scripts to maintain persistence, modify system settings, and facilitate lateral movement within networks.

Cybersecurity agencies recommend implementing DNS filtering, web firewalls, regular patching, network segmentation, and user training to mitigate the threat of Interlock ransomware.

The FBI reports at least three major intrusions attributed to Interlock, including attacks on Texas Tech University and other critical organizations.

Interlock has been linked to credential-harvesting tools such as Lumma Stealer and Berserk Stealer, which are used to exfiltrate data and escalate privileges within compromised networks.

The group employs a double extortion tactic, encrypting data and stealing it, then threatening to release sensitive information on the dark web if demands are not met, with ransom notes directing victims to contact via a Tor site.

Interlock has claimed responsibility for high-profile breaches, including stealing and leaking 1.5 terabytes of data from DaVita, a healthcare company, and hacking Kettering Health, affecting over 120 outpatient facilities.