A joint advisory outlines tactics and mitigations for the financially motivated Interlock ransomware, which uses rare methods like drive-by downloads and ClickFix social engineering for initial access.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services, and Multi-State Information Sharing and Analysis Center have issued a joint cybersecurity advisory to disseminate known Interlock ransomware indicators of compromise and tactics, techniques, and procedures identified through FBI investigations and third-party reporting.

Interlock ransomware was first detected in September 2024 and has since targeted a range of businesses and critical infrastructure organizations across North America and Europe. According to the FBI, the group’s activities are financially motivated, and victims appear to be selected opportunistically. The FBI is aware of Interlock ransomware encryptors designed for both Windows and Linux operating systems, and these encryptors have been observed encrypting virtual machines across both operating systems. 

FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups. Actors were also observed using the ClickFix social engineering technique for initial access, in which victims are tricked into executing a malicious payload under the guise of fixing an issue on the victim’s system. Actors then use various methods for discovery, credential access, and lateral movement to spread to other systems on the network.

To help mitigate the threat, the advisory recommends several steps organizations can take:

  • Prevent initial access by implementing domain name system filtering and web access firewalls, and training users to spot social engineering attempts. 
  • Mitigate known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date.
  • Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization.
  • Implement identity, credential, and access management policies across the organization and then require multifactor authentication for all services to the extent possible.

The full advisory, including a list of indicators of compromise and detailed mitigation steps, is available on the CISA website.

ID 96376908 © Audiohead | Dreamstime.com

Thousands of OT Devices Contain Ransomware-Linked Vulnerabilities