The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. Though this isn't the first time ClickFix has been linked to ransomware infections, confirmation about Interlock shows an increasing trend in these types of threat actors utilizing the tactic. According to Sekoia researchers, the Interlock ransomware gang began utilizing ClickFix attacks in January 2025. ClickFix attacks have now been adopted by a wide range of threat actors, including other ransomware gangs and North Korean hackers. Last month, Sekoia discovered that the infamous Lazarus North Korean hacking group was using ClickFix attacks targeting job seekers in the cryptocurrency industry. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Sekoia has observed the command and control (C2) responding with various payloads, including LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT. After the initial compromise and RAT deployment, Interlock operators used stolen credentials to move laterally via RDP, while Sekoia also saw PuTTY, AnyDesk, and LogMeIn used in some attacks. Interlock used at least four URLs to host fake CAPTCHA prompts that tell visitors to execute a command on their computer to verify themselves and download a promoted tool. The Windows variant of Interlock is set (via a scheduled task) to run daily at 08:00 PM, but thanks to file extension-based filtering, this doesn't cause multiple layers of encryption but serves as a redundancy measure. ClickFix is a social engineering tactic where victims are tricked into executing dangerous PowerShell commands on their systems to supposedly fix an error or verify themselves, resulting in the installation of malware. Interlock is a ransomware operation launched in late September 2024, targeting FreeBSD servers and Windows systems. Sekoia also reports that the ransom note has evolved, too, with the latest versions focusing more on the legal aspect of the data breach and the regulatory consequences if stolen data is made public. In the past, Interlock utilized fake browser and VPN client updates to install malware and breach networks. The last step before the ransomware execution is data exfiltration, with the stolen files uploaded to attacker-controlled Azure Blobs. This script registers a Run key in Windows Registry for persistence and then collects and exfiltrates system info including OS version, user privilege level, running processes, and available drives. The latter is a simple trojan that can be dynamically configured, supporting file exfiltration, shell command execution, and running malicious DLLs.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 18 Apr 2025 17:45:13 +0000