Interlock
Interlock is a double-extortion ransomware operation active since at least October 2024. It exfiltrates data before encryption, operates a Tor-based leak/negotiation site, and has targeted organizations in North America and Europe, including critical infrastructure. Reported victim sectors include healthcare, education, government/public sector, engineering, architecture, construction, manufacturing, industrial, and enterprise environments. Public reporting and advisories also associate Interlock with incidents affecting organizations such as DaVita, Kettering Health, Texas Tech University Health Sciences Center, and defense-related entities including National Defense Corporation and subsidiaries.
Interlock has been observed targeting both Windows and FreeBSD/ESXi environments. Reported ransomware variants append the .interlock extension, and the FreeBSD/ESXi ELF encryptor drops the ransom note !README!.txt. Separate reporting on Windows samples states the ransomware can be deployed with the JunkFiction loader, supports command-line options for encrypting directories or files and self-deletion, skips some critical system paths and file types, can stop processes via the Restart Manager API, and drops a ransom note named FIRST_READ_ME.txt. Another analysis states the Windows ransomware uses scheduled-task persistence under the name TaskSystem and clears Windows event logs via EvtClearLog. Across reporting, Interlock ransomware has been described as using strong symmetric/asymmetric encryption combinations, though exact implementation details vary by sample set in the source material.
Interlock activity is closely associated with a broader tooling ecosystem. Multiple reports link the operation to NodeSnake backdoors, Interlock RAT, the JunkFiction loader, and NtlmThief. NodeSnake/Interlock RAT variants have been described in JavaScript, Java, and native Windows forms, using RC4-encrypted WebSocket communications and supporting shell access, command execution, file transfer, SOCKS5 proxying, self-update, and self-delete. Additional tooling observed with Interlock includes ConnectWise ScreenConnect for persistent remote access, Volatility for memory analysis and credential access, Certify for identifying and exploiting AD CS misconfigurations, PowerShell reconnaissance scripts, Bash-based reverse proxy/log-wiping scripts, and a memory-resident Java backdoor/web shell. One PowerShell reconnaissance script enumerated Windows OS details, hardware, services, installed software, storage, Hyper-V inventory, user files, browser artifacts, network connections, ARP tables, iSCSI sessions, and RDP authentication events, staging results to \JK-DC2\Temp.
Initial access methods reported for Interlock include ClickFix social engineering and exploitation of public-facing applications. Government and industry reporting states the group heavily relies on ClickFix for initial access. In 2026, Amazon threat intelligence reported an active Interlock campaign exploiting CVE-2026-20131, a critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) Software that allows unauthenticated remote code execution as root. Amazon observed exploitation beginning on 2026-01-26, 36 days before Cisco publicly disclosed the flaw on 2026-03-04, indicating zero-day use. The campaign targeted enterprise firewalls, and a misconfigured Interlock staging server exposed operational tooling, reconnaissance scripts, custom RATs, proxy infrastructure, and evasion mechanisms. Attribution to Interlock was based on ransom note branding, Tor negotiation infrastructure, and victim tracking patterns.
Interlock is also linked in reporting to the financially motivated threat cluster Hive0163. IBM X-Force associated Hive0163 with NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware, and observed ClickFix-delivered intrusions in which NodeSnake was deployed first, followed by additional payloads including Interlock RAT and the likely AI-assisted PowerShell backdoor Slopoly. Hive0163 has also been described as using malvertising and working with initial access brokers such as TA569/SocGholish and TAG-124/KongTuke/LandUpdate808.
High-confidence infrastructure and indicators directly mentioned in the source material include the Interlock negotiation onion address ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion; NodeSnake C2 IPs 172.86.68.64, 23.227.203.123, and 77.42.75.119; ScreenConnect-related domains flowmiceornfidgring[.]cc and partyglacierhip[.]top on port 8041; and Slopoly-related infrastructure plurfestivalgalaxy[.]com and 94.156.181[.]89. Reporting also notes Interlock ransom notes reference multiple data protection regulations to increase extortion pressure and that temporal analysis of one campaign suggested operators likely work in UTC+3.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Amazon threat intelligence has identified an active Interlock ransomware campaign exploiting CVE-2026-20131... A misconfigured infrastructure server... exposed Interlock’s complete operational toolkit... custom remote access trojans, reconnaissance scripts, and evasion techniques.
Interlock ... concealed ... through the custom Hotta Killer evasion tool, which harnesses a zero-day flaw in the legitimate gaming anti-cheat driver GameDriverx64.sys, tracked as CVE-2025-61155, as part of a Bring Your Own Vulnerable Driver attack. ... kernel termination of security software prior to encryption activities.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group... The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators.
The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe agencies said they are aware of Interlock encryptors designed for Windows and Linux operating systems and have observed cyber actors obtaining access using an uncommon method of drive-by download from compromised legitimate websites, among other tactics.
Amazon threat intelligence has identified an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device
Execution
3 techniquesThe Java variant adds two features... The UpdateThread creates a self-deleting scheduled task... Like the Java variant, the PE uses self-deleting scheduled tasks... A daily scheduled task runs the ransomware at 20:00 as SYSTEM.
A PowerShell-based reconnaissance script systematically collects detailed system and network information, including installed software, running services, browser data, and active connections.
The campaign centers around a flaw affecting Cisco Secure Firewall Management Center (FMC) software... It allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges on affected FMC devices... Interlock had already begun exploiting this flaw as early as January 26, 2026.
Persistence
3 techniquesThe Java variant adds two features... The UpdateThread creates a self-deleting scheduled task... Like the Java variant, the PE uses self-deleting scheduled tasks... A daily scheduled task runs the ransomware at 20:00 as SYSTEM.
One of the more advanced components observed in the campaign is a memory-resident webshell. Delivered as a Java class, it operates entirely in memory, avoiding disk-based detection.
Privilege Escalation
4 techniquesThe Java variant adds two features... The UpdateThread creates a self-deleting scheduled task... Like the Java variant, the PE uses self-deleting scheduled tasks... A daily scheduled task runs the ransomware at 20:00 as SYSTEM.
“Interlock ransomware deploys “Hotta Killer” exploiting ... driver zero-day (CVE-2025-61155) to disable EDR/AV...”
XMRIG Driver Loaded ... T1543.003 ... Windows Suspicious Driver Loaded Path
Other tools found in the attack environment include Volatility... and Certify... These tools enable credential access, privilege escalation, and persistent footholds within compromised environments.
Stealth
4 techniquesThe Windows variant imports wevtapi.dll and calls EvtClearLog to wipe Windows event logs. This is the only variant in the toolkit that clears event logs.
DELETE 0x0c fs.rmSync(__filename)... If the counter passes 40, the implant deletes itself... self-deleting scheduled task... --delete (self-delete after encryption)
DLL execution : loads payloads via rundll32.exe ... rundll32.exe %s,run %s
Delivered as a Java class, it operates entirely in memory, avoiding disk-based detection. It intercepts HTTP requests and executes encrypted payloads dynamically within the Java Virtual Machine.
Credential Access
1 techniqueDisabled Kerberos Pre-Authentication Discovery With PowerView ... T1558.004
Discovery
3 techniquesA PowerShell-based reconnaissance script systematically collects detailed system and network information... and active connections.
A PowerShell-based reconnaissance script systematically collects detailed system and network information, including installed software, running services, browser data, and active connections.
MITRE ATT&CK Techniques ID Technique Tactic T1087.002 Domain Account Discovery
Collection
2 techniquesThe script organizes this data into per-host directories on a centralized network share, compressing it into ZIP archives for exfiltration.
The script organizes this data into per-host directories on a centralized network share, compressing it into ZIP archives for exfiltration.
Command and Control
5 techniquesOne variant, written in JavaScript... establish[es] encrypted communication with command-and-control servers via WebSockets.
Interlock employs a Bash script that converts compromised Linux servers into HTTP reverse proxies. These proxies forward traffic to attacker-controlled systems while erasing logs every five minutes.
This triggered the next phase of the attack, where Interlock issued commands to download and execute a malicious Linux binary.
The group deployed ConnectWise ScreenConnect, a commercial remote desktop tool, to maintain access while avoiding detection.
Messages are encrypted using RC4 with unique keys for each transmission.
Exfiltration
2 techniques“…remain on a compromised server for more than a week and steal data… ‘extortion through large-scale data exfiltration and ransomware.’”
Attackers who infiltrated the District's systems on June 3 were able to pilfer data, including current and former names, birthdates, Social Security numbers, state-issued ID details, and financial account information.
Impact
3 techniquesSuch activity is significant as it often indicates ransomware behavior, where files are encrypted and the originals are deleted.
South Carolina's Lexington-Richland School District Five had information from 31,475 individuals compromised following a June data breach claimed by the Interlock ransomware gang.
InterLock is a double-extortion ransomware operation... The group exfiltrates data before encrypting, runs a Tor-based leak site...
Other
1 techniqueIOCs tracked for this family
55 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
48 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware explicitly identified as exploiting the Cisco Secure Firewall FMC zero-day CVE-2026-20131.
Double-extortion ransomware that exfiltrates data before encryption, operates a Tor leak site, and deploys encryptors for FreeBSD/ESXi and Windows. It uses AES-256-CBC for file encryption, wraps per-file keys with RSA-4096 OAEP, appends the .interlock extension, drops !__README__!.txt ransom notes, and the Windows variant also clears event logs and establishes scheduled-task persistence.
Ransomware used in double-extortion attacks, combining file encryption with data theft. In this campaign it exploited a Cisco firewall zero-day for initial access and used a multi-stage toolkit including RATs, backdoors, reconnaissance scripts, and evasion techniques.
Ransomware family tied to exploitation of Cisco Secure Firewall Management Center via CVE-2026-20131. After initial access, it conducts reconnaissance, deploys multiple RATs for persistence, uses reverse proxies and an in-memory webshell for evasion, and prepares victims for large-scale ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.