Defense Evasion
- ProcessHacker
- ThreatFire System Monitor driver (BYOVD)
Interlock is a financially motivated double-extortion ransomware operation active since at least late 2024.
Profile source: Mallory opens in a new tabInterlock
Interlock is a financially motivated double-extortion ransomware operation active since at least late 2024. The group steals data prior to encryption and operates a Tor-based leak site to pressure victims through public exposure and regulatory consequences. Victimology includes healthcare, education, government, manufacturing, engineering, construction, and other enterprise and critical-infrastructure organizations in North America and Europe.
Interlock has been observed targeting both Windows and FreeBSD/ESXi environments. Its ransomware tooling includes Windows and ELF encryptors, and reporting links the operation to pre-encryption data theft, victim-specific negotiation workflows, and multi-stage intrusions. On Windows, Interlock has been associated with scheduled-task persistence, event-log clearing, and options to encrypt selected files or directories. Across reporting, the operation is consistently characterized as using encryption plus exfiltration for extortion.
The broader Interlock intrusion toolkit includes custom remote-access malware and credential-access tooling. A backdoor family known as NodeSnake has been associated with the operation in JavaScript, Java, and native Windows variants, providing encrypted WebSocket command and control, shell access, command execution, file transfer, SOCKS5 proxying, self-update, and self-delete. Native variants have also been reported with anti-debugging, DLL execution, and thread-hijacking functionality. Interlock activity has additionally included an NTLM credential theft component, use of ConnectWise ScreenConnect for redundant remote access, PowerShell-based host and network reconnaissance, reverse-proxy infrastructure for traffic laundering, and a memory-resident Java backdoor or web shell used for fileless persistence and post-exploitation.
Initial access has been observed through multiple mechanisms. Interlock has been tied to ClickFix social-engineering lures and to exploitation of edge-facing infrastructure, including active exploitation of CVE-2026-20131 in Cisco Secure Firewall Management Center as a zero-day before public disclosure. Post-compromise activity has included extensive system discovery, collection of browser and network artifacts, use of credential- and certificate-abuse tooling, and deployment of ransomware after access is established and maintained.
Interlock has been linked in reporting to the financially motivated cluster Hive0163 and has been discussed alongside Rhysida because of overlapping tradecraft, though any deeper organizational relationship remains unconfirmed. The operation has been publicly associated with significant attacks against healthcare entities and other enterprises, reinforcing its status as an active ransomware threat with mature post-exploitation capability.
Ransomware.live
Ransomware.live
e11d147dad6e47a1cecb1f2755f95a55f7f679420671b7e18677831d4d276277f76d907ca3817a8b29677903152654696c3b2558fc8cfcb2751437b6e5cdeb6f6d034dca42ffea354a20cd15d3f2ffd5faf9a658f4f9b424be3dab262a8af81c3104efb23ea174ac5eda9f5fd0e8c077f73005682c1d90f4b3269483b687e89133d8eabbf428fef8c5cd50b440ee3d07hxxp://23.95.182.59/31279geuwtoisgdehbiuowaehsgdb/chthxxp://23.95.182.59/31279geuwtoisgdehbiuowaehsgdb/klghxxps://apple-online.shop/ChromeSetup.exehxxps://rvthereyet.com/wp-admin/images/rsggj.phpa26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82fe86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb123.95.182.59195.201.21.34159.223.46.184Ransomware.live
Reported operators
The Rhysida and Interlock groups, which are known to attack healthcare and other critical infrastructure, have similar TTPs and encryption binaries, leading to some speculation of a connection between the two groups.
Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group... The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators.
The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.
Exploited software
MITRE ATT&CK
Reporting
Interlock4
In March, the company fixed a critical RCE zero-day, tracked as CVE-2026-20131 (CVSS score of 10.0), in Secure Firewall FMC, exploited by Interlock ransomware.
InterLock is a double-extortion ransomware operation active since at least October 2024. The group exfiltrates data before encrypting, runs a Tor-based leak site, and deploys encryptors across both FreeBSD/ESXi and Windows.
The ransomware gang, known for double-extortion attacks, had access to a critical Cisco firewall vulnerability weeks before it was publicly disclosed.
Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group... The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators.
Amazon Threat Intelligence is warning of an active Interlock ransomware campaign that's exploiting a recently disclosed critical security flaw in Cisco Secure Firewall Management Center (FMC) Software.
Amazon threat intelligence has identified an active Interlock ransomware campaign exploiting CVE-2026-20131... A misconfigured infrastructure server... exposed Interlock’s complete operational toolkit... custom remote access trojans, reconnaissance scripts, and evasion techniques.
Hive0163 is a documented cluster of threat actors behind multiple high-profile global ransomware attacks, all involving the Interlock ransomware variant.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.