Interlock and Rhysida within the Ransomware Ecosystem
Essential information
- Published
- 12/06/2026 21:29
- Modified
- 15/06/2026 18:32
- Tags
- 2026-06-12 CVE-2023-36036 CVE-2026-20131 berserk stealer broomstick clickfix dave endico gootloader icenova inc initial access broker interlock interlockrat junkfiction latrodectus mallard mintloader modelorat nodesnake ntlmthief plus keylogger portstarter ransomware rhysida sliver socgholish supper supper backdoor systembc tomb tomb crypter trojanized installers vidar
- Related entities
- 2 vulnerabilities (cve), 102 observables, 1 intrusion sets (apt), 22 techniques (mitre), 24 malware, 107 others
Description
This analysis examines over two years of observations on the ransomware ecosystem surrounding Interlock and Rhysida threat groups. Hive0163 (Interlock) employs custom malware including NodeSnake, InterlockRAT, JunkFiction downloader, Supper, and Interlock ransomware, with identified links to TAG-124. Rhysida actors utilize Endico downloader, Broomstick, Supper, and Tomb crypter, showing relationships with IceNova operators and ITG23. Strong code overlaps between NodeSnake, JunkFiction downloader, InterlockRAT and Supper indicate shared codebases or common developers. Both groups primarily target U.S. organizations across multiple sectors, using trojanized installers, ClickFix campaigns, and traffic distribution systems for initial access. Analysis of post-exploitation payloads reveals broad, adaptable toolsets including custom WDAC policies, credential phishing tools, and various privilege escalation exploits, demonstrating sophisticated ransomware operations.