Interlock Ransomware: How This Deceptive Cyber Threat Works

Key takeaways:

• Interlock ransowmare uses social engineering to trick IT professionals into running malicious code themselves. 
• They hide their activity using legitimate system tools like PowerShell and Cloudflare. This “living-off-the-land” approach makes detection extremely difficult.
• The ransomware steals data before encrypting it, creating double leverage.

First emerging in September 2024, Interlock ransomware targets critical infrastructure and employs clever psychological tactics to bypass traditional defenses. Unlike typical ransomware, Interlock operates as a closed group, orchestrating high-impact attacks that have crippled healthcare providers and even forced a state government to mobilize its National Guard.

Interlock is a financially motivated ransomware group known for its double extortion strategy. This two-pronged attack involves first stealing sensitive data (exfiltration) and then encrypting the victim’s files to render them inaccessible. The group operates without external affiliates, suggesting a tight-knit and skilled team.

Interlock shows a preference for critical sectors where disruption causes maximum pressure, including healthcare, government, education, and technology across North America and Europe.

In April 2025, the group attacked the kidney dialysis provider DaVita, resulting in the theft of 1.5 terabytes of data affecting over 200,000 patients. 

An even more alarming event occurred in July 2025, when Interlock launched a cyberattack against the City of St. Paul, Minnesota. The attack was so severe that it overwhelmed the city’s internal and commercial response capabilities. This prompted Minnesota Governor Tim Walz to issue Emergency Executive Order 25-08, a drastic measure that authorized the Minnesota National Guard to provide cyber protection support.

Interlock’s success lies in its sophisticated and deceptive tactics, which often turn an organization’s own employees and trusted tools against it.

Understanding the attack vector and encryption methods of Interlock Ransomware is the first step in defense. However, effective incident management requires specialized action. When facing a threat like Interlock, it is crucial to immediately know how to isolate ransomware-infected servers to prevent lateral spread and contain the breach.

Interlock’s primary weapon for initial access isn’t a software exploit but a brilliant piece of social engineering called “ClickFix.” The attack often targets IT professionals, the very people tasked with security.

Here’s how it works:

1. An attacker creates a fake website that perfectly mimics a legitimate download page for a popular tool, such as “Advanced IP Scanner.”
2. The site displays a fake CAPTCHA or error message designed to look like a trusted service like Cloudflare. It instructs the user to “fix” a supposed issue.
3. The user is told to press a simple key combination: Win + R to open the Run dialog, Ctrl + V to paste, and Enter to execute. The user doesn’t know that clicking the “Fix it” button has already copied a malicious PowerShell command to their clipboard.
4. By following the instructions, the expert unknowingly pastes and runs the attacker’s code, granting Interlock its initial foothold in the network.

Once inside, Interlock excels at evasion by using legitimate tools, a technique known as “living-off-the-land.” They use PowerShell, a scripting tool built into Windows, to execute commands, making their activity difficult to distinguish from normal administrative tasks. 

More insidiously, they abuse Cloudflare’s “TryCloudflare” tunneling tool to hide their command-and-control (C2) communications, effectively wrapping their malicious traffic in a legitimate service to become a ghost in the machine.

The Interlock group attempts to frame its extortion as a form of vigilante justice. In their ransom notes and on their dark web leak site, the “Worldwide Secrets Blog,” they present a strange manifesto:

We don’t just want payment; we want accountability. Our actions send a message to those who hide behind weak defenses… If you don’t take data security seriously, we will on your behalf. Pay attention or pay the price.

As John Riggi, national advisor for cybersecurity for the American Hospital Association (AHA), notes, Interlock has been “directly implicated in high-impact ransomware attacks against hospitals and health systems, resulting in the disruption to care delivery and creating a risk to patient and community safety.”

Even with strong defenses, a determined adversary like Interlock can find a way through. The actions taken in the first few hours after a cyberattack can determine whether you face a contained issue or a catastrophic business disruption.

This is precisely why a professional incident response team is essential. Proven Data’s experts are equipped to immediately contain the threat, conduct deep forensic analysis to understand the full scope of the breach, and methodically eradicate the attacker from your network. We handle the entire process, from initial containment to full recovery, ensuring your business can return to normal operations safely and efficiently.

For organizations committed to the highest level of preparedness, an Incident Response Retainer offers the ultimate peace of mind. This proactive partnership places our elite team on standby for you 24/7/365. With a retainer in place, we are already familiar with your environment, allowing us to slash response times, minimize operational downtime, and significantly reduce the financial and reputational damage of an attack.

If you suspect data loss or network breach, or are looking for ways to compile digital evidence through forensics and eDiscovery services – our team can help.

Our expert advisor will contact you to schedule your free consultation.

You’ll receive a customized proposal or quote for approval.

Our specialized team immediately jumps into action, as time is critical.