What is Interlock ransomware and how does it attack Windows and Linux systems?
Interlock ransomware is a newly identified threat using double extortion tactics and targeting both Windows and Linux systems, particularly virtual machines. Discovered in late 2024, it spreads through drive-by downloads from compromised legitimate websites and utilizes tools like AnyDesk, PSExec, and Cobalt Strike for lateral movement and encryption. A notable feature of Interlock is its deceptive ClickFix technique—tricking users with fake CAPTCHA prompts to trigger malware. CISA, FBI, and HHS have issued urgent mitigation guidelines, urging organizations to deploy EDR, enforce segmentation, and educate employees to combat this growing ransomware threat.
Table of Contents
- What Is Interlock Ransomware?
- Who Is Being Targeted?
- How Double Extortion Works
- Cross-Platform Attacks: Windows and Linux
- Innovative Social Engineering: The ClickFix Tactic
- Tools Used by Interlock Ransomware
- Critical Infrastructure Is At High Risk
- CISA and FBI Recommended Mitigation Strategies
- Connection to Rhysida Ransomware?
- Interlock Ransomware Overview
- Conclusion
- Frequently Asked Questions (FAQs)
The Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, Department of Health and Human Services (HHS), and MS-ISAC, has issued an urgent joint advisory about the Interlock ransomware group. This new ransomware strain is gaining notoriety for double extortion tactics and cross-platform attacks on Windows and Linux systems.
What Is Interlock Ransomware?
Interlock ransomware is a new cyber threat that emerged in September 2024 and has since been linked to attacks across North America and Europe. Unlike traditional ransomware, Interlock uses drive-by downloads from compromised legitimate websites to gain access — a rare and stealthy technique that bypasses common detection mechanisms.
Who Is Being Targeted?
Interlock doesn't target specific industries. Instead, its operators are opportunistic and financially motivated, choosing victims based on system vulnerabilities and ease of compromise, not sector.
Sectors Impacted:
-
Healthcare
-
Finance
-
Manufacturing
-
Education
-
Government
-
Critical Infrastructure
How Double Extortion Works
Interlock uses double extortion to increase pressure on victims:
-
Encryption – Files and systems are locked.
-
Exfiltration – Sensitive data is stolen and threatened with public exposure on their dark web leak site.
This tactic puts victims in a difficult position — pay the ransom or face reputational damage, regulatory penalties, and data exposure.
Cross-Platform Attacks: Windows and Linux
A major concern is that Interlock targets both Windows and Linux, especially virtual machines in hybrid environments. This cross-platform encryption capability makes the malware highly adaptable and dangerous for modern IT infrastructures.
Innovative Social Engineering: The ClickFix Tactic
Interlock introduces a new social engineering method called ClickFix, where users are tricked into clicking fake CAPTCHA prompts that appear to resolve system errors. In reality, these clicks trigger the malware payload execution.
This evolution mirrors past techniques but reflects a growing sophistication in user deception.
Tools Used by Interlock Ransomware
| Tool Name | Description |
|---|---|
| AnyDesk | Remote access software used for file transfers and persistence. |
| Cobalt Strike | Penetration testing tool repurposed for post-exploitation control. |
| PowerShell | Scripting tool for automating malicious tasks across platforms. |
| PSExec | Executes commands on remote systems to spread laterally. |
| PuTTY.exe | SSH client to connect to systems and exfiltrate data. |
| ScreenConnect | Remote access software, often used in cracked form by attackers. |
| SystemBC | Proxy and command & control tool used to hide C2 communication. |
| conhost.exe | Windows Console Host used in running background commands. |
| WinSCP | Secure file transfer client using SFTP and FTP. |
Critical Infrastructure Is At High Risk
The ransomware’s focus on encrypting virtual machines has already impacted multiple critical sectors. Future variants may escalate to physical servers and individual workstations, increasing the threat level even further.
CISA and FBI Recommended Mitigation Strategies
To reduce exposure to Interlock ransomware, CISA recommends:
-
✅ Deploying Endpoint Detection and Response (EDR) systems
-
✅ Applying DNS filtering and Web Application Firewalls (WAF)
-
✅ Implementing Network Segmentation
-
✅ Conducting regular employee training on phishing and social engineering
-
✅ Keeping systems updated and patching vulnerabilities promptly
Connection to Rhysida Ransomware?
Ongoing FBI investigations have found similarities between Interlock and Rhysida ransomware, suggesting either shared resources or a possible evolution of an older threat group.
Interlock Ransomware Overview
| Aspect | Details |
|---|---|
| Initial Access | Drive-by download from compromised sites |
| Extortion Tactic | Double extortion (encryption + data leak threat) |
| Target OS | Windows and Linux (focus on virtual machines) |
| Delivery Method | ClickFix – fake CAPTCHA trick |
| Victim Profile | Opportunistic (no specific industry focus) |
| Tools Used | AnyDesk, Cobalt Strike, PSExec, PowerShell, PuTTY, ScreenConnect, etc. |
| Mitigation Advice | EDR, WAF, DNS filtering, segmentation, patching, social engineering training |
Conclusion: Stay Vigilant
The Interlock ransomware campaign highlights the evolving nature of ransomware in 2025 — cross-platform, socially engineered, and financially driven. Organizations must prioritize proactive defense, incident response planning, and employee awareness to stay resilient.
FAQs
What is Interlock ransomware?
Interlock is a ransomware strain that uses double extortion tactics and targets both Windows and Linux systems by encrypting files and threatening data leaks.
How does Interlock ransomware spread?
It typically spreads through drive-by downloads from compromised legitimate websites, using social engineering tricks like fake CAPTCHA prompts.
What is double extortion in ransomware?
Double extortion involves encrypting a victim's data and simultaneously stealing it, threatening to publish or sell the data if the ransom is unpaid.
Which operating systems are affected by Interlock?
Interlock affects both Windows and Linux, especially targeting virtual machines in hybrid IT environments.
What sectors are targeted by Interlock ransomware?
Although it is opportunistic, it has targeted healthcare, finance, education, manufacturing, and critical infrastructure.
What is the ClickFix technique?
ClickFix is a social engineering tactic where users are shown fake CAPTCHAs to trick them into activating ransomware payloads.
What tools does Interlock ransomware use?
It uses AnyDesk, PSExec, PuTTY, WinSCP, PowerShell, and Cobalt Strike to spread laterally and maintain control over infected systems.
Is Interlock related to Rhysida ransomware?
There are similarities between the two, and ongoing investigations suggest a possible connection or shared codebase.
What is a drive-by download?
A drive-by download happens when malware is installed without user consent through a vulnerable or compromised website.
How can organizations defend against Interlock?
Use EDR tools, enforce segmentation, conduct employee training, patch vulnerabilities, and apply DNS filtering and firewalls.
Why is Interlock ransomware dangerous?
Its cross-platform encryption and advanced deception methods make it harder to detect and more destructive than many older strains.
Is Interlock targeting specific industries?
No, Interlock is financially motivated and targets victims based on system vulnerabilities rather than sector.
What is the role of CISA in this advisory?
CISA collaborated with FBI and HHS to issue a joint advisory warning organizations about the threat and offering mitigation steps.
Can Interlock affect cloud environments?
Yes, Interlock can potentially impact cloud-hosted virtual machines, especially if improperly secured.
How does Interlock maintain persistence?
It uses remote access tools like AnyDesk and ScreenConnect to maintain control even after reboot or detection attempts.
What is conhost.exe in the context of Interlock?
Attackers use conhost.exe to run background commands without drawing attention, aiding stealth during infection.
What is lateral movement in ransomware attacks?
It’s the process of spreading from one compromised system to others within a network to maximize damage.
How does PowerShell help ransomware attacks?
PowerShell allows attackers to automate malicious actions like downloading payloads, executing scripts, or creating persistence.
What should you do if infected by Interlock?
Isolate affected machines, inform cybersecurity authorities, avoid paying the ransom, and follow incident response protocols.
What is EDR and how does it help?
Endpoint Detection and Response tools monitor, detect, and respond to malicious activities on endpoints in real time.
What is SystemBC and why is it used?
SystemBC is a proxy malware used to hide communications between the infected system and command-and-control servers.
Is Interlock ransomware publicly available?
No, it appears to be operated by a controlled threat group and not yet available on underground markets.
Are Interlock’s exfiltration methods known?
Yes, tools like WinSCP and PuTTY are used for secure file transfer and data theft before encryption.
Why is virtual machine targeting concerning?
VMs often host critical workloads, and attacking them disrupts entire services across cloud or enterprise networks.
What is MS-ISAC's role in the advisory?
MS-ISAC supports state, local, tribal, and territorial governments and helped co-author the advisory with technical insights.
What happens if you ignore Interlock’s ransom?
Your data may be leaked online or sold, resulting in data breaches, reputation loss, and potential compliance penalties.
How can DNS filtering stop ransomware?
It blocks access to malicious domains that host ransomware payloads or command-and-control servers.
What is WinSCP in ransomware usage?
It is a secure file transfer application misused by attackers to exfiltrate stolen data from compromised systems.
Are Linux systems more vulnerable now?
Yes, attackers are increasingly designing ransomware like Interlock to include Linux targets, widening the attack surface.
How can phishing lead to Interlock infections?
Phishing emails may contain links to compromised websites that deliver Interlock through drive-by downloads.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
