Date: December 24, 2025 Source: CISA/FBI Joint Advisory (AA25-203A) Threat Level: Critical

A new joint advisory from CISA and the FBI has shed light on Interlock, a threat that requires a distinct analytical approach. To understand the risk, we must separate the Human Adversary (Interlock Operators) from the Malware Arsenal (Interlock Ransomware).

1. Threat Actor Profile: The Interlock Group

Attribution: Financial Motivated / Opportunistic Links: High confidence overlaps with the Rhysida ransomware group.

The Interlock Group refers to the human operators conducting the intrusions. Unlike many RaaS affiliates who rely solely on phishing, this group has demonstrated a preference for sophisticated social engineering and “drive-by” compromise tactics.

Operational TTPs:

• Initial Access (The “ClickFix”): The group utilizes a technique known as “ClickFix.” They compromise legitimate websites to display fake errors (e.g., “Google Chrome Update Failed”). These prompts ask the user to solve a CAPTCHA, which actually tricks them into pasting a malicious PowerShell script into the Windows Run prompt (Win + R).
• Targeting Logic: The group specifically hunts for Virtual Machines (VMs). In observed incidents, they often leave physical workstations unencrypted, prioritizing the encryption of high-value virtualized servers (ESXi, Hyper-V, Linux VMs) to cripple enterprise operations.
• Exfiltration First: Adhering to the double-extortion model, they exfiltrate data before encryption using Azure Storage Explorer and AzCopy, pushing victim data to actor-controlled Azure Blob storage.

2. Tooling Profile: Interlock Ransomware

Classification: Ransomware / Cryptor Platforms: Windows, Linux, FreeBSD

Interlock Ransomware is the specific binary payload used to lock victim files. It exhibits unique technical characteristics that differentiate it from generic off-the-shelf lockers.

Technical Specifications:

• Encryption Scheme: Uses a robust hybrid of AES (for file content) and RSA (for key protection).
• Cross-Platform Capabilities:
  • Windows: 64-bit executable, often dropped as conhost.exe.
  • Linux: Targeting virtual environments.
  • FreeBSD: A rare ELF encryptor variant has been recovered, indicating the tool is designed to target specialized Unix-like appliances and servers often missed by other strains.
• Anti-Forensics: Post-encryption, the malware executes a cleanup DLL (tmp41.wasd) via rundll32.exe. This component uses a remove() function to securely delete the ransomware binary from the disk.

3. Indicators of Compromise (IOCs)

Actor-Centric Indicators (TTPs & Infrastructure)

• Behavior: Users pasting Base64 PowerShell scripts into the “Run” dialog (ClickFix).
• Network: Outbound traffic to Microsoft Azure Blob Storage URLs (used for exfiltration) that are not linked to the organization’s tenant.
• Lateral Tools: Presence of unauthorized AnyDesk, PuTTY, or cracked ScreenConnect binaries.
• C2 Traffic: Connections to known Cobalt Strike or SystemBC infrastructure.

Tool-Centric Indicators (Malware Artifacts)

• File Extensions: .interlock, .1nt3rlock
• Ransom Note: !__README__!.txt (Often distributed via GPO).
• Malware Hash (SHA256):
  • Note: Specific hashes rotate frequently, but look for the specific filenames below.
• Filenames:
  • conhost.exe (The Encryptor)
  • cht.exe (Credential Stealer module)
  • klg.dll (Keylogger module)
  • tmp41.wasd (Wiper/Cleanup module)