Threat Actor Profile: Interlock Ransomware
Essential information
- Published
- 15/08/2025 19:40
- Modified
- 15/08/2025 20:49
- Tags
- 2025-08-15 clickfix cobalt strike compromised websites double-extortion interlock rat nodesnake rat powershell ransomware remote access trojan social engineering systembc trycloudflare
- Related entities
- 24 observables, 1 intrusion sets (apt), 11 techniques (mitre), 4 malware, 11 others
Description
Interlock, a relatively new ransomware group first observed in September 2024, has gained prominence in 2025 as an opportunistic ransomware operator. Unlike traditional Ransomware-as-a-Service models, Interlock operates without affiliates or public advertisements. The group conducts double extortion campaigns, leveraging compromised websites and multi-stage social engineering techniques to deliver payloads. Interlock's attack chain involves initial access through fake software updaters, execution of PowerShell scripts, and the use of custom remote access trojans. The group has targeted various sectors across North America and Europe, including education, healthcare, technology, and government entities. Notable attacks include the DaVita breach in April 2025 and the ransomware attack on the city of St. Paul, Minnesota in July 2025.