The U.S. government has officially issued a warning about a dangerous wave of ransomware attacks linked to a cybercriminal group called Interlock. This alert was released by CISA in partnership with the FBI, Department of Health and Human Services (HHS), and MS-ISAC. The threat mainly targets businesses and critical infrastructure, especially in North America and Europe.
Interlock ransomware has been active since around September 2024, but it has picked up serious momentum in recent months. This group uses a double-extortion method to pressure victims. That means they not only encrypt the victim’s files but also steal sensitive data and threaten to leak it online if no ransom is paid.
What makes Interlock stand out is how they get into systems. Most ransomware attacks rely on phishing emails or stolen credentials, but Interlock uses a trick called “ClickFix.” This method tricks users into clicking a fake pop-up that looks like it’s fixing an issue, but it actually installs malware. They also use drive-by downloads, where a user gets infected just by visiting a compromised website.
Once inside a system, the attackers use a range of tools to spread and gain control. These include Cobalt Strike and SystemBC for remote access, along with password stealers like Lumma and Berserk. They even use remote access software like AnyDesk and PuTTY to maintain a connection without being detected.
The ransomware affects multiple operating systems, including Windows, Linux, and FreeBSD. The attackers use customized encryptors for each platform, making them more versatile and dangerous. When they hit a system, the encrypted files usually get renamed with extensions like “.interlock” or “.1nt3rlock.”
There have already been several high-profile victims. One major case was DaVita, a leading kidney care provider, which suffered service disruptions. Another attack hit Kettering Health, a healthcare network in the U.S., disrupting patient care and exposing sensitive records. In each case, Interlock demanded ransom payments through hidden .onion websites on the dark web.
Security researchers have also found signs that Interlock might be linked to another ransomware group called Rhysida. Some of the code and tactics used by both groups are similar. This raises concerns that these gangs might be sharing tools or working together, which would make the threat even harder to control.
The U.S. government has shared a list of urgent recommendations for organizations to protect themselves. One key step is to use DNS filtering and web application firewalls to block malicious websites. Organizations are also encouraged to enforce multi-factor authentication (MFA) and use strong password policies to prevent unauthorized access.
CISA also suggests that businesses install endpoint detection and response (EDR) tools, especially on virtual systems. Network segmentation is another important measure, which helps limit the movement of attackers if they manage to get in. Keeping all systems updated with the latest patches is critical, as outdated software can become an easy target.
Monitoring for suspicious activity is also necessary. This includes looking for unusual downloads, high CPU usage, strange file extensions, or unauthorized remote access connections. Employees should be trained to recognize phishing emails and fake update alerts like ClickFix pop-ups.
The Interlock ransomware campaign is one of the most advanced and dangerous seen in recent months. It uses sophisticated techniques, spreads fast, and hits essential services like healthcare, manufacturing, and energy. Organizations need to take this warning seriously and follow the security steps provided in the official advisory.
In summary, the U.S. government is urging everyone, especially those responsible for critical infrastructure, to act immediately. This isn’t just another ransomware campaign. Interlock has already caused major disruptions, and the threat is growing. If you run a business or manage IT systems, now is the time to review your defenses and make sure your systems are ready.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
