Skip to content
Ransomware group EsxiLinuxWindows

Interlock

Interlock is a financially motivated double-extortion ransomware operation active since at least late 2024.

Profile source: Mallory opens in a new tab

Interlock

Family profile

Interlock is a financially motivated double-extortion ransomware operation active since at least late 2024. The group steals data prior to encryption and operates a Tor-based leak site to pressure victims through public exposure and regulatory consequences. Victimology includes healthcare, education, government, manufacturing, engineering, construction, and other enterprise and critical-infrastructure organizations in North America and Europe.

Interlock has been observed targeting both Windows and FreeBSD/ESXi environments. Its ransomware tooling includes Windows and ELF encryptors, and reporting links the operation to pre-encryption data theft, victim-specific negotiation workflows, and multi-stage intrusions. On Windows, Interlock has been associated with scheduled-task persistence, event-log clearing, and options to encrypt selected files or directories. Across reporting, the operation is consistently characterized as using encryption plus exfiltration for extortion.

The broader Interlock intrusion toolkit includes custom remote-access malware and credential-access tooling. A backdoor family known as NodeSnake has been associated with the operation in JavaScript, Java, and native Windows variants, providing encrypted WebSocket command and control, shell access, command execution, file transfer, SOCKS5 proxying, self-update, and self-delete. Native variants have also been reported with anti-debugging, DLL execution, and thread-hijacking functionality. Interlock activity has additionally included an NTLM credential theft component, use of ConnectWise ScreenConnect for redundant remote access, PowerShell-based host and network reconnaissance, reverse-proxy infrastructure for traffic laundering, and a memory-resident Java backdoor or web shell used for fileless persistence and post-exploitation.

Initial access has been observed through multiple mechanisms. Interlock has been tied to ClickFix social-engineering lures and to exploitation of edge-facing infrastructure, including active exploitation of CVE-2026-20131 in Cisco Secure Firewall Management Center as a zero-day before public disclosure. Post-compromise activity has included extensive system discovery, collection of browser and network artifacts, use of credential- and certificate-abuse tooling, and deployment of ransomware after access is established and maintained.

Interlock has been linked in reporting to the financially motivated cluster Hive0163 and has been discussed alongside Rhysida because of overlapping tradecraft, though any deeper organizational relationship remains unconfirmed. The operation has been publicly associated with significant attacks against healthcare entities and other enterprises, reinforcing its status as an active ransomware threat with mature post-exploitation capability.

Capabilities

  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Extortion
  • Initial Access
  • Lateral Movement
  • Persistence
  • Post Exploitation
  • Privilege Escalation
  • Process Injection
  • Reconnaissance

Ransomware.live

Operational record

View group record ↗

Defense Evasion

  • ProcessHacker
  • ThreatFire System Monitor driver (BYOVD)

Discovery Enum

  • Advanced Port Scanner
  • Azure Storage Explorer

Exfiltration

  • AZCopy
  • WinSCP

LOLBAS

  • PsExec

Networking

  • PuTTY

Offsec

  • Cobalt Strike

RMM Tools

  • AnyDesk
  • ScreenConnect

Ransomware.live

Published indicators

Full source record ↗

Md5

9 total
  • e11d147dad6e47a1cecb1f2755f95a55
  • f7f679420671b7e18677831d4d276277
  • f76d907ca3817a8b2967790315265469
  • 6c3b2558fc8cfcb2751437b6e5cdeb6f
  • 6d034dca42ffea354a20cd15d3f2ffd5
  • faf9a658f4f9b424be3dab262a8af81c
  • 3104efb23ea174ac5eda9f5fd0e8c077
  • f73005682c1d90f4b3269483b687e891
  • 33d8eabbf428fef8c5cd50b440ee3d07

Url

4 total
  • hxxp://23.95.182.59/31279geuwtoisgdehbiuowaehsgdb/cht
  • hxxp://23.95.182.59/31279geuwtoisgdehbiuowaehsgdb/klg
  • hxxps://apple-online.shop/ChromeSetup.exe
  • hxxps://rvthereyet.com/wp-admin/images/rsggj.php

Sha256

3 total
  • a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642
  • c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f
  • e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1

Ip

3 total
  • 23.95.182.59
  • 195.201.21.34
  • 159.223.46.184

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

3 named in public reporting
KongTuke

The Rhysida and Interlock groups, which are known to attack healthcare and other critical infrastructure, have similar TTPs and encryption binaries, leading to some speculation of a connection between the two groups.

Interlock

Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group... The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators.

Hive0163

The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.

Exploited software

Vulnerabilities linked to Interlock

4 CVEs

MITRE ATT&CK

Interlock in ATT&CK

30 distinct techniques

Reporting

Research mentioning Interlock

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

Interlock4

Apr 2
Security Affairs

Cisco fixed critical and high-severity flaws

In March, the company fixed a critical RCE zero-day, tracked as CVE-2026-20131 (CVSS score of 10.0), in Secure Firewall FMC, exploited by Interlock ransomware.

Mar 25
Derp Ca

InterLock: full tooling teardown of a ransomware operation | Derp

InterLock is a double-extortion ransomware operation active since at least October 2024. The group exfiltrates data before encrypting, runs a Tor-based leak site, and deploys encryptors across both FreeBSD/ESXi and Windows.

Mar 20
Dark Reading

Interlock Ransomware Targets Cisco Enterprise Firewalls

The ransomware gang, known for double-extortion attacks, had access to a critical Cisco firewall vulnerability weeks before it was publicly disclosed.

Mar 19
Thecyberexpress Com Vulnerabilities

Interlock Exploits FMC CVE-2026-20131 Via Amazon MadPot

Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group... The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators.

Mar 18
The Hacker News

Interlock Ransomware Exploits Cisco FMC Zero-Day CVE-2026-20131 for Root Access

Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software.

Mar 18
Aws Security

Amazon threat intelligence teams identify Interlock ransomware campaign targeting enterprise firewalls | AWS Security Blog

Amazon threat intelligence has identified an active Interlock ransomware campaign exploiting CVE-2026-20131... A misconfigured infrastructure server... exposed Interlock’s complete operational toolkit... custom remote access trojans, reconnaissance scripts, and evasion techniques.

Mar 16
Cyber Security News

IBM Uncovers ‘Slopoly,’ Likely AI-Generated Malware Used in Hive0163 Ransomware Attack - Cyber Security News

Hive0163 is a documented cluster of threat actors behind multiple high-profile global ransomware attacks, all involving the Interlock ransomware variant.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.