CyberSecurity news
FlagThis
@gbhackers.com
//
The Interlock ransomware group has escalated its operations across North America and Europe, employing sophisticated techniques to evade detection. Cybersecurity firms such as Sekoia Threat Detection & Research (TDR) are closely monitoring Interlock's activities, revealing their evolving tactics and tools. Unlike typical Ransomware-as-a-Service (RaaS) operations, Interlock operates independently, focusing on targeted attacks known as Big Game Hunting and double extortion campaigns. Their tactics include compromising legitimate websites to host deceptive browser update pages, tricking users into downloading malicious PyInstaller files that appear as legitimate Google Chrome or Microsoft Edge installers.
These fake installers launch PowerShell-based backdoors, which continuously execute HTTP requests to communicate with command-and-control (C2) servers. This PowerShell script collects system information and offers functionality for executing arbitrary commands and establishing persistence. Interlock uses a continuous communication loop with the C2 server to maintain persistence. The C2 server can then issue commands to terminate the backdoor or deploy additional malware, such as keyloggers or credential stealers like LummaStealer and BerserkStealer. These actions bypass automated defenses by tricking victims into manually executing malicious commands.
In early 2025, Interlock began experimenting with ClickFix, a social engineering technique that prompts users to execute malicious PowerShell commands through spoofed CAPTCHAs or browser alerts, supposedly to "fix" an issue. Interlock also uses IP address clustering to maintain infrastructure resilience, often utilizing IPs from BitLaunch, Hetzner Online GmbH, and other autonomous systems. The group commonly uses RDP and stolen credentials for lateral movement within compromised networks, often targeting domain controllers to gain widespread control. Cybersecurity researchers actively adapt defenses against Interlock's techniques.
ImgSrc: blogger.googleu
References :
These fake installers launch PowerShell-based backdoors, which continuously execute HTTP requests to communicate with command-and-control (C2) servers. This PowerShell script collects system information and offers functionality for executing arbitrary commands and establishing persistence. Interlock uses a continuous communication loop with the C2 server to maintain persistence. The C2 server can then issue commands to terminate the backdoor or deploy additional malware, such as keyloggers or credential stealers like LummaStealer and BerserkStealer. These actions bypass automated defenses by tricking victims into manually executing malicious commands.
In early 2025, Interlock began experimenting with ClickFix, a social engineering technique that prompts users to execute malicious PowerShell commands through spoofed CAPTCHAs or browser alerts, supposedly to "fix" an issue. Interlock also uses IP address clustering to maintain infrastructure resilience, often utilizing IPs from BitLaunch, Hetzner Online GmbH, and other autonomous systems. The group commonly uses RDP and stolen credentials for lateral movement within compromised networks, often targeting domain controllers to gain widespread control. Cybersecurity researchers actively adapt defenses against Interlock's techniques.
ImgSrc: blogger.googleu
Share:
References :
- gbhackers.com: Interlock leverages a multi-stage attack through seemingly benign websites and malicious browser updates, demonstrating its advanced tactics for evasion.
- securityonline.info: The group is distinguished by its independent operations, focusing on targeted attacks and double-extortion campaigns, and avoiding a RaaS model.
- BleepingComputer: Interlock ransomware gang pushes fake IT tools in ClickFix attacks
Classification:
- HashTags: #Ransomware #Cyberattack #Interlock
- Target: Organizations in North America and Europe
- Attacker: Interlock
- Product: Various targeted systems
- Feature: Browser updates
- Malware: Interlock
- Type: Ransomware
- Severity: Major