MalwareRansomwareUsed by 1 actor

Volatility

Volatility is an open-source memory forensics framework typically used by incident responders. In the provided reporting, it was recovered or observed in post-compromise toolsets rather than described as a malicious family itself. Amazon threat intelligence reported Interlock ransomware operators deployed Volatility alongside custom implants, reconnaissance scripts, ConnectWise ScreenConnect, and Certify during exploitation of CVE-2026-20131 in Cisco Secure Firewall Management Center, and assessed its presence as consistent with mature multi-stage intrusion operations. Separately, Unit 42 reported that the China-linked intrusion cluster CL-UNK-1068 used DumpIt together with several Volatility modules, including windows.hashdump, lsadump, and cachedump, as part of credential-access and memory-analysis activity during intrusions targeting high-value organizations across South, Southeast, and East Asia, including government, critical infrastructure, technology, and telecommunications. High-confidence capabilities directly mentioned in the content are memory forensics and use of modules such as windows.hashdump, lsadump, and cachedump. No malware-specific infection vector or standalone IOCs for Volatility are provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

CL-UNK-1068

“DumpIt and Volatility… they used several Volatility modules: windows.hashdump… lsadump… cachedump…”

via palo alto networks unit 42 blogunit42.paloaltonetworks.com

MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Credential Access

2 techniques

T1003OS Credential DumpingEvidence4

Volatility plugin: BitLocker Volatility plugin that retrieves the Full Volume Encryption Key (FVEK) in memory. The FVEK can then be used with Dislocker to decrypt the volume.

T1003.007Proc FilesystemEvidence1

Given the keychain unlock password, a master key obtained using volafox or volatility, or an unlock file such as SystemKey... Extraction from memory images Volofax can be used to extract Keychain files and master key candidates from memory images.

Discovery

3 techniques

T1046Network Service DiscoveryEvidence1

Additional artifacts can also be recovered from the same memory image... network connections can be reconstructed... vol.py -f ram.img netscan

T1082System Information DiscoveryEvidence1

A good starting point for analysis is listing running processes. If the tool can correctly identify processes from the memory image, it is a strong indication that the forensic profile and analysis environment are configured properly.

T1518Software DiscoveryEvidence1

That toolkit includes a PowerShell script designed to scoop up information about victims' Windows environments, such as... installed software... In addition to using custom malware, the ransomware slingers also deployed legitimate software... Volatility; and Certify...

Collection

3 techniques

T1113Screen CaptureEvidence1

Additional artifacts can also be recovered from the same memory image... screenshots of the desktop environment may even be present if graphical buffers remain in memory... vol.py -f ram.img screenshot -D .

T1115Clipboard DataEvidence1

Additional artifacts can also be recovered from the same memory image... clipboard contents can be recovered... vol.py -f ram.img clipboard

T1213Data from Information RepositoriesEvidence2

Dump a memory image (it can be done using FTK Imager for example), and type: python vol.py -f ${DUMP.raw} bitlocker --profile=${Windows_Profile} This will print the potential found FVEKs.

Command and Control

1 technique

T1219Remote Access ToolsEvidence1

they found Interlock using an array of legitimate security tools during attacks, including ConnectWise ScreenConnect, incident response tool Volatility, offensive security product Certify, and more.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

aws security blogNews

Mar 18, 2026

Amazon threat intelligence teams identify Interlock ransomware campaign targeting enterprise firewalls | AWS Security Blog

Volatility is a legitimate memory forensics framework found in the Interlock toolkit. In this context it may support credential access and deeper compromise by parsing memory dumps during ransomware intrusions.

palo alto networks unit 42 blogNews

Mar 6, 2026

An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

Memory forensics framework used here to extract NTLM hashes and LSA secrets from acquired memory images.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.