- Interlock ransomware reached operational maturity and is now targeting the healthcare, government and manufacturing sectors
- It supports multi-platform attacks, cloud-based C2, full lifecycle automation
- Forescout encourages early detection, behavioral analysis and access control to reduce risk
Interlock ransomware is no longer a mid-tier credential stealer. It is now a highly sophisticated, cloud-enabled, multi-platform ransomware company with its own affiliates, automation and professionalized operations.
This is according to a new report from security researchers Forescout, which has been following Interlock since its inception in mid-2024.
In the report, Forescout says Interlock entered “operational maturity” (Phase 3) in February 2025 and became capable of attacking high-value targets in sectors such as healthcare, government and manufacturing.
Operational Maturity Phase
In the operational maturity phase, Interlock began to act as a business platform that allowed affiliates or partner groups to carry out attacks under its name. It also integrated a full attack lifecycle that no longer relies on fragmented or experimental methods. Everything from initial access and lateral movement to encryption and data exfiltration can be done through Interlock.
The ransomware expanded to target not only Windows, but also Linux, BSD, and VMware ESXi servers, and now uses legitimate cloud services for command-and-control (C2) and data exfiltration, including Cloudflare tunnels and Azure’s AzCopy tool.
It switched from fake update sites to impersonating business software like FortiClient or Cisco AnyConnect and adopted new social-engineering lures like ClickFix and FileFix. The maintainers purchased credentials from initial access brokers and granted them immediate privileged access. They then used tools like Cobalt Strike, SystemBC, Putty, PsExec and Posh-SSH to move laterally and manage systems across networks.
The malicious platform has also improved its persistence and stealth and is now leveraging the cloud for data theft. Its ransom notes have become more professional-sounding and other communications now more closely resemble the company’s “incident alerts,” Forescout added. Now the focus is on negotiation efficiency:
“The tone of communication is characteristic of enterprise-focused ransomware operations, emphasizing that this is a ‘security alert’ rather than a disruption, although messages emphasize the consequences of non-payment, including legal liability for exposure of customer data and regulatory sanctions under GDPR, HIPAA or other frameworks,” the report stressed.
To defend against Interlock, Forescout recommends focusing on detecting ransomware behavior early and reducing the attack surface. That includes using risk-based conditional access policies, implementing behavioral analytics, monitoring PowerShell activity, hunting for anomalies in authentication logs, and monitoring for signs of lateral movement.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
