Interlock Ransomware

Interlock, a ransomware intrusion set first observed in September 2024, has steadily carved a niche for itself within the cybercriminal landscape. Unlike many well-known groups, Interlock does not operate under the typical "Ransomware-as-a-Service" (RaaS) model. As of March 2025, there are no public advertisements or indications of affiliate recruitment linked to this group, distinguishing it from larger, more commercialized ransomware operations.

At the center of Interlock’s operations is their Data Leak Site (DLS) known as the Worldwide Secrets Blog. This platform serves a dual purpose: it publicly exposes the data of their victims and offers a channel for ransom negotiations. Despite their continued presence, Interlock’s published victim list remains modest—just 24 victims since their emergence, with only six additional names added in 2025. Compared to groups like Clop, RansomHub, Akira, and Qilin, each boasting over a hundred victims in early 2025 alone, Interlock’s activity suggests a more selective or opportunistic approach. Victims of Interlock span a wide range of sectors across North America and Europe, indicating that industry type is not a significant selection criterion. Instead, availability and opportunity seem to drive target acquisition. Interlock’s attack chain is multi-staged and deceptive. Operators begin by compromising legitimate websites to distribute fake browser updates—typically fraudulent Google Chrome or Microsoft Edge installers. When a victim downloads one of these installers, a PowerShell backdoor is deployed, setting the stage for subsequent tool execution and eventual ransomware payload delivery. Since its inception, Interlock has shown a clear trend toward evolution. The Sekoia Threat Detection & Research (TDR) team has observed significant developments: notably the adoption of a technique known as ClickFix for improved initial access, and the use of additional credential-stealing malware such as LummaStealer and BerserkStealer. The group’s technical toolkit, while largely consistent, has seen meaningful enhancements. The PowerShell backdoor has evolved into version 11, offering expanded capabilities. Additionally, changes to their ransom notes now include explicit threats of legal consequences for non-payment—an aggressive psychological tactic designed to pressure victims.

Despite a lower overall victim count, Interlock has proven itself to be a serious and adaptive threat. In January and February 2025, the group's experimentation with new intrusion techniques, including ClickFix, highlighted their commitment to innovation. Their continued reliance on credential theft, lateral movement, and privilege escalation tactics signals a strong emphasis on maintaining deep access within compromised environments. Unlike more ostentatious ransomware operations such as FunkSec, which often seek widespread attention, Interlock appears to prioritize stealth and strategic impact. Their slower, more careful operations suggest a group aiming for longevity rather than instant infamy.

Interlock Ransomware Download