Interlock
Interlock is a double-extortion ransomware operation active since at least October 2024. It exfiltrates victim data before encryption, operates a Tor-based leak/negotiation site, and has targeted organizations in North America and Europe, including critical infrastructure. Reported victim sectors include healthcare, education, government/public sector, engineering, architecture, construction, manufacturing, industrial, and other enterprise environments. Public reporting and government advisories tie Interlock to incidents affecting organizations such as DaVita, Kettering Health, Texas Tech University Health Sciences Center, and defense-related entities.
Interlock supports both Windows and FreeBSD/ESXi environments. Reported ransomware variants append the .interlock extension, use AES-256-CBC with RSA-4096 OAEP in one analysis, and drop ransom notes including !README!.txt on ELF/FreeBSD-ESXi systems; separate reporting on a Windows variant describes per-file AES-GCM with RSA-protected session keys and a ransom note named FIRST_READ_ME.txt. The Windows ransomware has been reported to use scheduled-task persistence, clear Windows event logs, stop processes to access locked files, and support command-line options for targeting directories/files and self-deletion.
Interlock campaigns have used multiple initial access and post-exploitation methods. Government and industry reporting state the group heavily relies on ClickFix social engineering for initial access. In 2026, Amazon threat intelligence reported active exploitation of Cisco Secure Firewall Management Center vulnerability CVE-2026-20131, a critical unauthenticated remote code execution flaw, with exploitation observed from 2026-01-26 before Cisco’s public disclosure. After exploitation, Interlock deployed a multi-stage toolkit including PowerShell reconnaissance, custom remote access trojans, proxy infrastructure, and evasion tooling.
Associated tooling includes NodeSnake backdoors implemented in JavaScript, Java, and native PE/C++ variants; these support RC4-encrypted WebSocket C2, shell access, command execution, file transfer, SOCKS5 proxying, self-update, and self-delete. Reporting also links Interlock activity to ScreenConnect/ConnectWise ScreenConnect for persistent remote access, Volatility for memory analysis and credential access, Certify for AD CS abuse, and NtlmThief for NTLM credential theft. A memory-resident Java backdoor/web shell and Bash-based reverse proxy/log-wiping scripts were also recovered from exposed Interlock infrastructure.
High-confidence infrastructure and indicators mentioned in the content include the Tor negotiation URL ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion; NodeSnake C2 IPs 172.86.68.64, 23.227.203.123, and 77.42.75.119; ScreenConnect-related domains flowmiceornfidgring[.]cc and partyglacierhip[.]top on port 8041; the .interlock encrypted file extension; ransom note filenames !README!.txt and FIRST_READ_ME.txt; and a scheduled task name TaskSystem. One analysis also noted a weak rand() XOR clock() PRNG in Interlock’s AES key generation that may make key recovery feasible with approximate execution timing.
Interlock has been associated with the financially motivated cluster Hive0163 in IBM X-Force reporting, which linked Hive0163 to NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware. Some reporting also noted similarities in TTPs and encryption binaries between Interlock and Rhysida, though only speculation of a connection was mentioned.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
PrintNightmare exploit (Interlock staging)
CVE CVE-2026-20131 Network edge device vulnerability exploited by Interlock for initial access
Local privilege escalation exploit CVE-2023-36036 (JunkFiction-crypted) ... CVE CVE-2023-36036 Local privilege escalation exploit used by Interlock and ModeloRAT operators
Interlock ... concealed ... through the custom Hotta Killer evasion tool, which harnesses a zero-day flaw in the legitimate gaming anti-cheat driver GameDriverx64.sys, tracked as CVE-2025-61155, as part of a Bring Your Own Vulnerable Driver attack. ... kernel termination of security software prior to encryption activities.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Rhysida and Interlock groups, which are known to attack healthcare and other critical infrastructure, have similar TTPs and encryption binaries, leading to some speculation of a connection between the two groups.
Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group... The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators.
The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
The agencies said they are aware of Interlock encryptors designed for Windows and Linux operating systems and have observed cyber actors obtaining access using an uncommon method of drive-by download from compromised legitimate websites, among other tactics.
Amazon threat intelligence has identified an active Interlock ransomware campaign exploiting CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device
Execution
3 techniques
Execution
The Java variant adds two features... The UpdateThread creates a self-deleting scheduled task... Like the Java variant, the PE uses self-deleting scheduled tasks... A daily scheduled task runs the ransomware at 20:00 as SYSTEM.
A PowerShell-based reconnaissance script systematically collects detailed system and network information, including installed software, running services, browser data, and active connections.
The campaign centers around a flaw affecting Cisco Secure Firewall Management Center (FMC) software... It allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges on affected FMC devices... Interlock had already begun exploiting this flaw as early as January 26, 2026.
Persistence
3 techniques
Persistence
The Java variant adds two features... The UpdateThread creates a self-deleting scheduled task... Like the Java variant, the PE uses self-deleting scheduled tasks... A daily scheduled task runs the ransomware at 20:00 as SYSTEM.
Privilege Escalation
4 techniques
Privilege Escalation
The Java variant adds two features... The UpdateThread creates a self-deleting scheduled task... Like the Java variant, the PE uses self-deleting scheduled tasks... A daily scheduled task runs the ransomware at 20:00 as SYSTEM.
“Interlock ransomware deploys “Hotta Killer” exploiting ... driver zero-day (CVE-2025-61155) to disable EDR/AV...”
Stealth
4 techniques
Stealth
The Windows variant imports wevtapi.dll and calls EvtClearLog to wipe Windows event logs. This is the only variant in the toolkit that clears event logs.
DELETE 0x0c fs.rmSync(__filename)... If the counter passes 40, the implant deletes itself... self-deleting scheduled task... --delete (self-delete after encryption)
Credential Access
1 technique
Credential Access
Discovery
3 techniques
Discovery
A PowerShell-based reconnaissance script systematically collects detailed system and network information... and active connections.
Collection
2 techniques
Collection
Command and Control
5 techniques
Command and Control
One variant, written in JavaScript... establish[es] encrypted communication with command-and-control servers via WebSockets.
Interlock employs a Bash script that converts compromised Linux servers into HTTP reverse proxies. These proxies forward traffic to attacker-controlled systems while erasing logs every five minutes.
This triggered the next phase of the attack, where Interlock issued commands to download and execute a malicious Linux binary.
Exfiltration
2 techniques
Exfiltration
Impact
3 techniques
Impact
Such activity is significant as it often indicates ransomware behavior, where files are encrypted and the originals are deleted.
IOCs tracked for this family
62 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
49 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware explicitly identified as exploiting the Cisco Secure Firewall FMC zero-day CVE-2026-20131.
Double-extortion ransomware that exfiltrates data before encryption, operates a Tor leak site, and deploys encryptors for FreeBSD/ESXi and Windows. It uses AES-256-CBC for file encryption, wraps per-file keys with RSA-4096 OAEP, appends the .interlock extension, drops !__README__!.txt ransom notes, and the Windows variant also clears event logs and establishes scheduled-task persistence.
Ransomware used in double-extortion attacks, combining file encryption with data theft. In this campaign it exploited a Cisco firewall zero-day for initial access and used a multi-stage toolkit including RATs, backdoors, reconnaissance scripts, and evasion techniques.
Ransomware family tied to exploitation of Cisco Secure Firewall Management Center via CVE-2026-20131. After initial access, it conducts reconnaissance, deploys multiple RATs for persistence, uses reverse proxies and an in-memory webshell for evasion, and prepares victims for large-scale ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.