5 malware familiesExploits CVEs in the wild

Interlock

Also known asinterlockinterlock_groupinterlock_ransomwareinterlock_ransomware_group

Interlock is a financially motivated ransomware group that emerged in September 2024 and is known for double-extortion attacks combining encryption with data theft. The group has targeted organizations across North America and Europe, including critical infrastructure, with historical victim sectors including education, healthcare, government/public sector, engineering, architecture, construction, manufacturing, and industrial organizations. Education is repeatedly described as its most concentrated sector, including reporting that 27.3% of its victims were education organizations and that its leak site listed multiple K-12 schools. Interlock has been linked to exploitation of the critical Cisco Secure Firewall Management Center vulnerability CVE-2026-20131 as a zero-day beginning on January 26, 2026, 36 days before Cisco publicly disclosed the flaw on March 4, 2026. Amazon attributed this activity to Interlock based on recovered malware, ransom note branding, TOR negotiation infrastructure, and victim tracking patterns. Reported tradecraft from this campaign included crafted HTTP requests to trigger arbitrary Java code execution as root; delivery of a malicious Linux ELF payload; PowerShell reconnaissance scripts; custom JavaScript and Java remote access trojans; a memory-resident Java backdoor/web shell; Linux reverse-proxy and log-wiping scripts using HAProxy; and use of legitimate tools including ConnectWise ScreenConnect, Volatility, and Certify. Amazon assessed with 75-80% confidence that the operators likely work in UTC+3. The group has also been associated in reporting with ClickFix activity, compromise of legitimate websites to infect victims, and NodeSnake remote access trojan deployments against multiple U.K. universities. Federal agencies stated that Interlock emerged in September 2024 and noted potential links to the Rhysida ransomware operation. Victims and claimed victims mentioned in the content include DaVita, Kettering Health, Goodwill Industries International, Lexington-Richland School District Five, West Lothian Council, Peabody, and the city of Saint Paul, Minnesota. The content also states that Interlock claimed responsibility for attacks affecting Texas Tech University System and other schools and healthcare entities.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration
Academia & Research

Where they target

Geographies tied to known operations.

🇺🇸 United States

MITRE ATT&CK

Tradecraft

63 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics83 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

3 techniques

T1078

Valid Accounts

T1189

Drive-by Compromise

T1190×2

Exploit Public-Facing Application

TA0002

Execution

4 techniques

T1047

Windows Management Instrumentation

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059×2

Command and Scripting Interpreter

T1059.001×3

PowerShell

T1059.003

Windows Command Shell

T1059.005

Visual Basic

T1059.007

JavaScript

T1203×2

Exploitation for Client Execution

TA0003

Persistence

4 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078

Valid Accounts

T1112

Modify Registry

T1505

Server Software Component

T1505.003×3

Web Shell

TA0004

Privilege Escalation

5 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1055

Process Injection

T1055.003

Thread Execution Hijacking

T1068×3

Exploitation for Privilege Escalation

T1078

Valid Accounts

T1134

Access Token Manipulation

T1134.001

Token Impersonation/Theft

TA0005

Stealth

11 techniques

T1027

Obfuscated Files or Information

T1027.011

Fileless Storage

T1055

Process Injection

T1055.003

Thread Execution Hijacking

T1070×2

Indicator Removal

T1070.001

Clear Windows Event Logs

T1070.002

Clear Linux or Mac System Logs

T1070.003

Clear Command History

T1070.004×2

File Deletion

T1078

Valid Accounts

T1134

Access Token Manipulation

T1134.001

Token Impersonation/Theft

T1140

Deobfuscate/Decode Files or Information

T1211

Exploitation for Stealth

T1218

System Binary Proxy Execution

T1218.011

Rundll32

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1620

Reflective Code Loading

T1622

Debugger Evasion

TA0112

Defense Impairment

1 technique

T1112

Modify Registry

TA0006

Credential Access

4 techniques

T1003×2

OS Credential Dumping

T1555

Credentials from Password Stores

T1558

Steal or Forge Kerberos Tickets

T1649×4

Steal or Forge Authentication Certificates

TA0007

Discovery

11 techniques

T1033

System Owner/User Discovery

T1046

Network Service Discovery

T1049

System Network Connections Discovery

T1082×5

System Information Discovery

T1083

File and Directory Discovery

T1135

Network Share Discovery

T1217

Browser Information Discovery

T1482

Domain Trust Discovery

T1497

Virtualization/Sandbox Evasion

T1497.001

System Checks

T1518

Software Discovery

T1622

Debugger Evasion

TA0008

Lateral Movement

2 techniques

T1021

Remote Services

T1021.001

Remote Desktop Protocol

T1570

Lateral Tool Transfer

TA0009

Collection

3 techniques

T1005

Data from Local System

T1074

Data Staged

T1213

Data from Information Repositories

TA0011

Command and Control

6 techniques

T1071

Application Layer Protocol

T1071.001×3

Web Protocols

T1090×5

Proxy

T1090.001×2

Internal Proxy

T1090.002

External Proxy

T1090.003

Multi-hop Proxy

T1095

Non-Application Layer Protocol

T1105×3

Ingress Tool Transfer

T1219×2

Remote Access Tools

T1568

Dynamic Resolution

TA0010

Exfiltration

2 techniques

T1041×3

Exfiltration Over C2 Channel

T1537×2

Transfer Data to Cloud Account

TA0040

Impact

2 techniques

T1486×6

Data Encrypted for Impact

T1657

Financial Theft

ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Hotta KillerSuch ransomware deployment has been concealed by Interlock through the custom Hotta Killer evasion tool, which harnesses a zero-day flaw in the legitimate gaming anti-cheat driver GameDriverx64.sys, tracked as CVE-2025-61155, as part of a Bring Your Own Vulnerable Driver attack.1Mar 18, 2026

InterlockAmazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group... The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators.1Mar 19, 2026

MintLoaderInterlock leveraged ClickFix social engineering tactics to deploy the MintLoader payload that executed the NodeSnakeRAT implant for lateral network movement...1Mar 18, 2026

NodeSnake"The Interlock ransomware group has deployed a previously undocumented JavaScript remote access trojan called NodeSnake..."1Mar 18, 2026

NodeSnakeRAT...deploy the MintLoader payload that executed the NodeSnakeRAT implant for lateral network movement...1Mar 18, 2026

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2026-20131Unauthenticated Root RCE in Cisco Secure Firewall Management Center Web InterfaceIn the wildEvidence8

The Interlock Ransomware Group’s exploitation of CVE-2026-20131 began on January 26, 2026 — weeks before Cisco published its security advisory on March 4... The flaw exists in Cisco’s Secure Firewall Management Center (FMC)... The vulnerability is classified as a critical deserialization of untrusted data issue (CWE-502).

CVE-2025-61155Improper authorization in GameDriverX64.sys IOCTL handler allows arbitrary process terminationIn the wildEvidence3

Hotta Killer (Interlock): exploits a gaming anti-cheat driver zero-day (CVE-2025-61155) to attack FortiEDR

IOCS

Observables

51 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

51 IOCsView more in app

hash.sha256

20 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+12

Domains

16 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+8

ip.v4

12 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+4

hash.md5

2 total

•••••••••••••••••

uri

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

cyber security newsNews

May 5, 2026

Education Sector Under Attack From State Espionage, Spear-Phishing, and Supply Chain Attacks - Cyber Security News

Ransomware group with a notable operational focus on education organizations in Q1 2026.

comparitechNews

Apr 29, 2026

Sandhills Medical Foundation warns patients of data breach - Comparitech

Named as the threat actor claiming responsibility for the Kettering Health data breach.

comparitechNews

Apr 16, 2026

Phoenix Art Museum warns of data breach that leaked SSNs - Comparitech

Named as the group claiming responsibility for a ransomware attack against a non-profit organization.

cyber security newsNews

Apr 16, 2026

31 High-Impact Vulnerabilities Exploited in March as Interlock Hits Cisco FMC Zero-Day

Exploiting the Cisco Secure Firewall Management Center zero-day CVE-2026-20131 to gain unauthenticated remote code execution in enterprise networks, establish persistence, conduct reconnaissance and lateral movement, steal credentials, and ultimately deploy ransomware.

+67 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping63

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables51

Domains, IPs, and hashes tied to this actor, refreshed continuously.