LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Interlock

Interlock Ransomware: Healthcare and Government Targeting, ClickFix Delivery, and CISA Joint Alert

Interlock ransomware emerged in September 2024 and has claimed over 60 victims in under two years, with a pronounced focus on healthcare, IT, and government sectors. CISA issued a joint alert in mid-2025 documenting the group's ClickFix delivery mechanism, two-to-three week dwell time, and cross-platform encryptors targeting both Windows and Linux VMware ESXi environments.

By Ransomware Tracker ·
InterlockransomwarehealthcareClickFixCISAgovernmentRaaSdouble-extortionESXiLinuxgroup-profile
Threat Level
8/10
Sectors Targeted
healthcare
government
technology
Ransomware Family
Interlock

Overview

Interlock ransomware first appeared in September 2024. The group operates as a financially motivated threat actor claiming a dual purpose: profit and what they describe in communications as “teaching organisations a lesson” about inadequate security practices — a rhetorical framing shared with several other contemporary ransomware operators and not meaningfully distinct from it.

Within twelve months of emergence, Interlock had claimed more than 50 victims. By mid-2026, the total exceeds 60 publicly listed victims, with additional unreported cases expected given typical disclosure rates. CISA, FBI, HHS, and MS-ISAC issued a joint advisory (AA25-203A) in mid-2025 documenting the group’s TTPs — an indicator that the group’s targeting of critical healthcare infrastructure had risen to the level of concern warranting coordinated government attention.

Targeting Profile

Healthcare and Public Health (HPH) sector is Interlock’s primary focus. Hospitals, health systems, healthcare IT vendors, and medical device companies feature prominently in the victim list. The HPH sector’s combination of critical operational dependencies (systems cannot be taken offline for extended periods without patient safety consequences), high sensitivity of exfiltrated data (HIPAA-protected health information carries significant regulatory and reputational consequences), and historically inconsistent security investment makes it a preferred target for double-extortion groups.

Government and critical infrastructure represent a secondary but significant target set. State and local government entities, county services, and government IT contractors have been among documented Interlock victims. These targets carry high data sensitivity and limited ability to absorb operational disruption.

IT and technology companies round out the target profile. IT service providers and managed service providers are attractive targets because compromising a single entity can provide downstream access to the provider’s client base — a force multiplier for initial access.

Initial Access: ClickFix and Fake Update Campaigns

Interlock’s initial access methodology has evolved across two documented phases:

Phase 1 (September 2024 – early 2025): Traffic Direction System (TDS) abuse. The group seeded malicious JavaScript into websites targeting local news outlets, small businesses, and community forums. Visitors to these sites encountered fake browser or application update prompts — for Chrome, Microsoft Teams, and other commonly used software — that triggered download and execution of a malicious installer containing the Interlock backdoor.

Phase 2 (2025 – present): ClickFix social engineering. Victims encounter fake CAPTCHA prompts, browser error messages, or document verification screens instructing them to “fix” an issue by opening the Windows Run dialog and pasting a provided command. The command executes PowerShell that downloads and runs the Interlock backdoor. This technique is effective because it bypasses email security controls (the delivery is web-based, not email-borne), exploits user familiarity with CAPTCHA interfaces, and uses the victim’s own system to execute the malicious payload — circumventing application control solutions that would block direct binary downloads.

Interlock also uses initial access brokers (IABs) to purchase pre-obtained credentials and remote access sessions to target networks, complementing the social engineering approach with opportunistic credential-based access.

Post-Compromise Tradecraft

Once inside a target network, Interlock follows an extended dwell pattern before deploying ransomware:

  • Dwell time: Two to three weeks between initial access (whether credential purchase or social engineering) and encryption. This interval is used for reconnaissance, credential theft, and data exfiltration.
  • Reconnaissance tools: The group uses legitimate remote management tools, Living-off-the-Land binaries (LOLBins), and publicly available tools for network scanning and lateral movement. This reduces the signature surface compared to groups that use distinctive custom tools.
  • Data exfiltration before encryption: Consistent with double-extortion operations, Interlock exfiltrates sensitive data — including patient records, financial data, and internal communications — before deploying the encryptor. The exfiltrated data is hosted on the group’s dedicated leak site (DLS) and used as leverage in ransom negotiations.
  • Credential theft: Active credential harvesting from compromised systems for lateral movement and to ensure re-access if initial ransomware deployment is interrupted.

Encryptor Capabilities

Interlock operates separate encryptors for Windows and Linux environments. The Windows encryptor targets standard enterprise file types and shares. The Linux variant specifically targets VMware ESXi hypervisors — encrypting the VM disk files (VMDK) and related configuration files that define virtual machines, effectively taking entire virtualised server environments offline with a single deployment.

The ESXi targeting reflects a broader trend across modern ransomware operations. Virtualisation platforms concentrate multiple production workloads on a small number of host systems. Encrypting the hypervisor tier is operationally more efficient than encrypting individual endpoints and produces disproportionate impact relative to the files touched.

Leak Site Operations

Interlock maintains a dedicated data leak site where exfiltrated victim data is published when ransom demands are not met. The group lists victim names, affected data types, and partial data samples to demonstrate possession. The threat of public disclosure of healthcare data — with its attendant HIPAA notification requirements, regulatory scrutiny, and reputational consequences — is a significant component of Interlock’s negotiation leverage with healthcare sector victims.

CISA Joint Advisory AA25-203A

CISA’s June 2025 joint advisory with FBI, HHS, and MS-ISAC identified Interlock as a priority threat to the healthcare sector and documented specific indicators of compromise (IOCs) and TTPs derived from confirmed intrusion investigations. The advisory noted:

  • Specific PowerShell cmdlets used in post-exploitation
  • Command-and-control infrastructure patterns
  • Staging directories commonly used for pre-exfiltration data collection
  • Specific file extensions appended to encrypted files (varies by victim but consistent within campaigns)

Organisations in the healthcare sector should review AA25-203A IOCs against historical log data to identify potential compromises that may predate detection.

Defensive Priorities

Initial access hardening:

  • User awareness training specifically covering ClickFix and fake update social engineering — the instruction to open Run and paste a command is unusual enough that users can be trained to recognise and report it
  • Web content filtering to block known TDS redirect domains and malicious JavaScript payloads
  • PowerShell execution policy enforcement and logging (Script Block Logging, Module Logging, and Transcription) to detect and alert on unusual PowerShell download/execution patterns

Dwell time detection: The two-to-three week dwell time before encryption creates a detection window. Focus on:

  • Unusual network scanning from internal hosts (Nmap, internal IP enumeration)
  • Remote management tool installations (ScreenConnect, AnyDesk, TeamViewer) not deployed through standard IT channels
  • Bulk file access patterns consistent with pre-encryption staging or exfiltration to external destinations

ESXi protection:

  • Restrict ESXi management interfaces to dedicated management networks with no general network access
  • Enable ESXi host-based authentication and audit logging
  • Maintain offline or immutable backups of VMDK files and VM configurations to enable recovery without ransom payment

Backup resilience: Healthcare environments should maintain backup copies that are network-isolated (offline or immutable object storage) given that Interlock’s dwell time is sufficient to locate and delete or corrupt online backup repositories.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting