Agencies issue advisory on emerging Interlock group.
CISA and the FBI have issued a joint advisory warning of increased activity by the Interlock ransomware group.
The alert, released in collaboration with the Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), highlights the group's use of double extortion tactics and provides indicators of compromise (IOCs) observed in attacks as recent as June 2025.
The FBI has noted that Interlock actors use some unconventional tactics compared to other ransomware groups. This includes gaining access through drive-by downloads from compromised legitimate websites, as well as adopting a new technique called FileFix. This method uses trusted Windows interface elements to trick users into executing malicious scripts, bypassing typical security warnings.
The group’s double extortion approach demands ransom payments not only for decryption keys but also to prevent leaked data from being published.
Gained Notoriety
According to Bleeping Computer, Interlock has rapidly gained notoriety since emerging in September 2024, with a clear focus on healthcare organisations and critical infrastructure.
Interlock's operators have been linked to previous cyber campaigns such as ClickFix, where they impersonated legitimate IT tools to gain initial access, and have also deployed the NodeSnake remote access trojan in attacks on UK universities.
More recently, the gang claimed responsibility for high-profile breaches at healthcare providers DaVita and Kettering Health, exfiltrating large volumes of sensitive data. These incidents underscore the group’s strategy of stealing data before encrypting it to maximise pressure on victims.
In response, authorities are urging organisations to bolster their cyber defences. The advisory aims to equip IT defenders with the tools and strategies needed to counter this rapidly evolving ransomware threat.
Erich Kron, security awareness advocate at KnowBe4, said: "While a fairly new ransomware group, Interlock is working to make a name for themselves.
“Their use of compromised websites for drive-by malware downloads is not very common in the world of ransomware, but their use of social engineering certainly is. Convincing people to install updates or fixes, really just disguised malware, in ClickFix attacks is not a new concept as fake updates or anti-virus notifications have been around for years.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
