Close Menu
    DevStackTipsDevStackTips
    • Home
    • News & Updates
      1. Tech & Work
      2. View All

      Tenable updates Vulnerability Priority Rating scoring method to flag fewer vulnerabilities as critical

      July 24, 2025

      Google adds updated workspace templates in Firebase Studio that leverage new Agent mode

      July 24, 2025

      AI and its impact on the developer experience, or ‘where is the joy?’

      July 23, 2025

      Google launches OSS Rebuild tool to improve trust in open source packages

      July 23, 2025

      EcoFlow’s new portable battery stations are lighter and more powerful (DC plug included)

      July 24, 2025

      7 ways Linux can save you money

      July 24, 2025

      My favorite Kindle tablet just got a kids model, and it makes so much sense

      July 24, 2025

      You can turn your Google Photos into video clips now – here’s how

      July 24, 2025
    • Development
      1. Algorithms & Data Structures
      2. Artificial Intelligence
      3. Back-End Development
      4. Databases
      5. Front-End Development
      6. Libraries & Frameworks
      7. Machine Learning
      8. Security
      9. Software Engineering
      10. Tools & IDEs
      11. Web Design
      12. Web Development
      13. Web Security
      14. Programming Languages
        • PHP
        • JavaScript
      Featured

      Blade Service Injection: Direct Service Access in Laravel Templates

      July 24, 2025
      Recent

      Blade Service Injection: Direct Service Access in Laravel Templates

      July 24, 2025

      This Week in Laravel: NativePHP Mobile and AI Guidelines from Spatie

      July 24, 2025

      Retrieve the Currently Executing Closure in PHP 8.5

      July 24, 2025
    • Operating Systems
      1. Windows
      2. Linux
      3. macOS
      Featured

      FOSS Weekly #25.30: AUR Poisoned, Linux Rising, PPA Explained, New Open Source Grammar Checker and More

      July 24, 2025
      Recent

      FOSS Weekly #25.30: AUR Poisoned, Linux Rising, PPA Explained, New Open Source Grammar Checker and More

      July 24, 2025

      How to Open Control Panel in Windows 11

      July 24, 2025

      How to Shut Down Windows 11

      July 24, 2025
    • Learning Resources
      • Books
      • Cheatsheets
      • Tutorials & Guides
    Home»Development»CISA, FBI Issue Interlock Ransomware Warning

    CISA, FBI Issue Interlock Ransomware Warning

    July 22, 2025

    Interlock ransomware

    The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory today warning of the growing threat of Interlock ransomware.

    The Interlock ransomware variant first appeared in late September 2024, and while the FBI-CISA advisory doesn’t say how many victims the group has claimed, Cyble threat intelligence researchers have documented 50 Interlock victims to date. Interlock claimed 13 victims in June, according to Cyble, double its previous monthly high, making the agencies’ advisory particularly timely.

    The advisory looks at Interlock ransomware indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs), based on FBI investigations and other sources. The FBI and CISA were joined in the advisory by the Department of Health and Human Services (HHS) and Multi-State Information Sharing and Analysis Center (MS-ISAC).

    Interlock Ransomware Targets VMs

    Interlock ransomware actors have targeted businesses, critical infrastructure, and other organizations in North America and Europe, based on opportunity and financial motivations, the FBI and CISA said.

    Interlock ransomware encryptors have been observed both for Windows and Linux operating systems, encrypting virtual machines (VMs) across both operating systems. Initial access has come via drive-by download from compromised legitimate websites, “an uncommon method among ransomware groups,” the advisory said. The ransomware group has also used the ClickFix social engineering technique for initial access.

    While Interlock actors have been focused on encrypting VMs, it’s possible the group could expand their targets to hosts, workstations, and physical servers in the future. The agencies recommend “robust endpoint detection and response (EDR) tooling and capabilities” to counter the VM threat.

    The agencies said they’re aware of reports detailing similarities between the Rhysida and Interlock ransomware variants.

    Interlock Ransomware TTPs

    One Interlock initial access method has been via fake Google Chrome or Microsoft Edge browser updates, although researchers recently noticed a shift to payload filenames “masquerading as updates for common security software,” CISA and the FBI said.

    The fake Google Chrome browser executable functions as a remote access trojan (RAT) that executes a PowerShell script to drop a file into the Windows Startup folder that is designed to run the RAT every time the victim logs in to establish persistence. A PowerShell command that establishes persistence through a Windows Registry key modification has also been observed.

    For reconnaissance, a PowerShell script executes a series of commands to gather information on victim machines, and applications like Cobalt Strike and SystemBC have been used for command and control, along with Interlock RAT and NodeSnake RAT.

    Once Interlock actors have established remote control of a compromised system, they download a credential stealer (cht.exe) and keylogger binary (klg.dll), and have also been observed using Lumma Stealer and Berserk Stealer to harvest credentials for lateral movement and privilege escalation.

    The ransomware actors use compromised credentials and Remote Desktop Protocol (RDP) to move between systems. They’ve used AnyDesk for remote connectivity and PuTTY for lateral movement. The ransomware group has also compromised domain administrator accounts, possibly via Kerberoasting attacks.

    Defending Against Interlock Ransomware

    The advisory contained a long list of cybersecurity defenses for preventing Interlock ransomware attacks, including:

    • Implementing domain name system (DNS) filtering to block users from accessing malicious sites and applications
    • Implementing web access firewalls to prevent unknown commands or process injection from malicious domains or websites
    • Keeping multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location
    • Following NIST password standards and requiring multi-factor authentication
    • Keeping operating systems, software, and firmware up to date, prioritizing known exploited vulnerabilities in internet-facing systems
    • Segmenting networks to prevent lateral movement and the spread of ransomware
    • Implement network monitoring, traffic filtering and EDR tools
    • Reviewing domain controllers, servers, workstations, and active directories for new or unrecognized accounts, and applying least privilege principles
    • Disabling unused ports, as well as hyperlinks in received emails
    • Disabling command line and scripting activities and permissions
    • Maintain offline backups of data and ensure that all backup data is encrypted, immutable, “and covers the entire organization’s data infrastructure.”

    Source: Read More

    Facebook Twitter Reddit Email Copy Link
    Previous ArticleWhat makes a senior engineer
    Next Article Any Intent to Pay a Ransom? UK Government Wants to Know

    Related Posts

    Development

    Blade Service Injection: Direct Service Access in Laravel Templates

    July 24, 2025
    Development

    This Week in Laravel: NativePHP Mobile and AI Guidelines from Spatie

    July 24, 2025
    Leave A Reply Cancel Reply

    For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

    Continue Reading

    CVE-2025-30389 – Azure Bot Framework SDK Authorization Bypass Vulnerability

    Common Vulnerabilities and Exposures (CVEs)

    Agent-Based Debugging Gets a Cost-Effective Alternative: Salesforce AI Presents SWERank for Accurate and Scalable Software Issue Localization

    Machine Learning

    Understanding box-sizing in CSS: A Better Way to Size Elements

    Web Development

    CVE-2025-23181 – Apache Tomcat Unprivileged Command Execution Vulnerability

    Common Vulnerabilities and Exposures (CVEs)

    Highlights

    Development

    Is ABC Classification a thing of the past?

    April 27, 2025

    When it comes to cycle counting, the first thing that comes to mind is ABC…

    kew v3.2.0 improves internet radio support and more

    May 9, 2025

    How to Optimize Dockerfile for a Lean, Secure Production

    April 3, 2025

    A beginner’s guide to Retrieval-Augmented Generation (RAG)

    July 16, 2025
    © DevStackTips 2025. All rights reserved.
    • Contact
    • Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.