- Interlock ransomware reached operational maturity, now targeting healthcare, government, and manufacturing sectors
- It supports multi-platform attacks, cloud-based C2, full lifecycle automation
- Forescout urges early detection, behavioral analysis, and access controls to reduce risk
Interlock ransomware is no longer a mid-tier credentials stealer. It is now a highly sophisticated, cloud-enabled, multi-platform ransomware enterprise with its own affiliates, automation, and professionalized operations.
This is according to a new report from security researchers Forescout, who have been tracking Interlock since its inception in mid-2024.
In the report, Forescout says Interlock entered “operational maturity” (phase 3) in February 2025, becoming capable of attacking high-value targets in sectors like healthcare, government, and manufacturing.
Operational maturity stage
In the operational maturity stage, Interlock began performing like a business platform, allowing affiliates or partner groups to conduct attacks under its name. It also integrated a full attack lifecycle, no longer relying on fragmented, or experimental methods. Everything from initial access and lateral movement, to encryption and data exfiltration, can be done through Interlock.
The ransomware was expanded to target not just Windows, but also Linux, BSD, and VMware ESXi servers, and now uses legitimate cloud services for command-and-control (C2) and data exfiltration, including Cloudflare tunnels and Azure’s AzCopy utility.
It shifted from fake update pages to impersonating business software such as FortiClient, or Cisco AnyConnect, and adopted new social-engineering lures like ClickFix and FileFix. The maintainers purchased credentials from initial access brokers, obtaining them immediate privileged access. They then used tools like Cobalt Strike, SystemBC, Putty, PsExec, and Posh-SSH to move laterally and control systems across networks.
The malicious platform has also improved its persistence and stealth, and now exploits cloud for data theft. Its ransom notes have become more professional-sounding, and other communications now more resemble corporate “incident alerts”, Forescout added. Now, the focus is on negotiation efficiency:
“The communication tone is characteristic of business-focused ransomware operations with emphasis on this being a “security alert” rather than a disruption, though messages emphasize consequences of nonpayment including legal liability for customer data exposure and regulatory penalties under GDPR, HIPAA, or other frameworks,” the report stressed.
To defend against Interlock, Forescout recommends focusing on detecting the ransomware’s behavior early, and reducing the attack surface. That includes using risk-based, conditional access policies, implementing behavioral analysis, monitoring PowerShell activity, hunting for anomalies in authentication logs, and watching for signs of lateral movement.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
