Interlock ransomware gang pushes fake IT tools in ClickFix attacks

The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. Though this isn't the first time ClickFix has been linked to ransomware infections, confirmation about Interlock shows an increasing trend in these types of threat actors utilizing the tactic. According to Sekoia researchers, the Interlock ransomware gang began utilizing ClickFix attacks in January 2025. ClickFix attacks have now been adopted by a wide range of threat actors, including other ransomware gangs and North Korean hackers. Last month, Sekoia discovered that the infamous Lazarus North Korean hacking group was using ClickFix attacks targeting job seekers in the cryptocurrency industry. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Sekoia has observed the command and control (C2) responding with various payloads, including LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT. After the initial compromise and RAT deployment, Interlock operators used stolen credentials to move laterally via RDP, while Sekoia also saw PuTTY, AnyDesk, and LogMeIn used in some attacks. Interlock used at least four URLs to host fake CAPTCHA prompts that tell visitors to execute a command on their computer to verify themselves and download a promoted tool. The Windows variant of Interlock is set (via a scheduled task) to run daily at 08:00 PM, but thanks to file extension-based filtering, this doesn't cause multiple layers of encryption but serves as a redundancy measure. ClickFix is a social engineering tactic where victims are tricked into executing dangerous PowerShell commands on their systems to supposedly fix an error or verify themselves, resulting in the installation of malware. Interlock is a ransomware operation launched in late September 2024, targeting FreeBSD servers and Windows systems. Sekoia also reports that the ransom note has evolved, too, with the latest versions focusing more on the legal aspect of the data breach and the regulatory consequences if stolen data is made public. In the past, Interlock utilized fake browser and VPN client updates to install malware and breach networks. The last step before the ransomware execution is data exfiltration, with the stolen files uploaded to attacker-controlled Azure Blobs. This script registers a Run key in Windows Registry for persistence and then collects and exfiltrates system info including OS version, user privilege level, running processes, and available drives. The latter is a simple trojan that can be dynamically configured, supporting file exfiltration, shell command execution, and running malicious DLLs.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 18 Apr 2025 17:45:13 +0000


Cyber News related to Interlock ransomware gang pushes fake IT tools in ClickFix attacks

Interlock ransomware gang pushes fake IT tools in ClickFix attacks - The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. Though this isn't the first time ClickFix has been linked to ransomware infections, ...
1 month ago Bleepingcomputer.com
10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
3 months ago Cybersecuritynews.com
10 Best Ransomware File Decryptor Tools in 2025 - Kaspersky Rakhni Decryptor contains different decryption tools based on various versions of Rakhni ransomware and helps you decrypt encrypted files on your system. PyLocky Ransomware Decryption Tool is a free and open source developed and released by ...
1 month ago Cybersecuritynews.com
Interlock Ransomware Employs Multi-Stage Attack Via Legitimate Websites to Deliver Malicious Browser Updates - In early 2025, the operators expanded their tactics by switching from browser update lures to security software updaters, masquerading as FortiClient, Ivanti Secure Access Client, GlobalProtect, and other security products. These fake updaters are ...
1 month ago Cybersecuritynews.com
Interlock ransomware claims DaVita attack, leaks stolen data - The Interlock ransomware gang has claimed the cyberattack on DaVita kidney dialysis firm and leaked data allegedly stolen from the organization. The healthcare company disclosed to the U.S. Securities and Exchange Commission (SEC) that on April ...
1 month ago Bleepingcomputer.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta
State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns - While currently limited to experimental usage by these state-sponsored groups, the increasing popularity of ClickFix in both cybercrime and espionage campaigns suggests the technique will likely become more widely adopted as threat actors continue to ...
1 month ago Cybersecuritynews.com Kimsuky MuddyWater
Ransomware's Impact May Include Heart Attacks, Strokes & PTSD - First-order harms: Direct targets of ransomware attacks. The increasing convergence of IT and OT leave physical infrastructures more vulnerable to ransomware, even though most ransomware operators lack the capability to directly compromise OT or ...
1 year ago Techrepublic.com
Hackers Employ New ClickFix Captcha Technique to Deliver Ransomware - The integration of Qakbot with the ClickFix technique allows attackers to bypass traditional security measures by leveraging user interaction to execute malicious commands. A sophisticated social engineering technique known as ClickFix has emerged, ...
2 months ago Cybersecuritynews.com
The Week in Ransomware - Earlier this month, the BlackCat/ALPHV ransomware operation suffered a five-day disruption to their Tor data leak and negotiation sites, rumored to be caused by a law enforcement action. The FBI revealed this week that they hacked the BlackCat/ALPHV ...
1 year ago Bleepingcomputer.com LockBit Akira Noescape
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
1 year ago Malwarebytes.com Scattered Spider LockBit
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa
State-sponsored hackers embrace ClickFix social engineering tactic - Proofpoint reports that APT28, a GRU unit, also used ClickFix as early as October 2024, using phishing emails mimicking a Google Spreadsheet, a reCAPTCHA step, and PowerShell execution instructions conveyed via a pop-up. ClickFix attacks are gaining ...
1 month ago Bleepingcomputer.com APT28 Kimsuky MuddyWater
The year of Mega Ransomware attacks with unprecedented impact on global organizations - A Staggering 1 in every 10 organizations worldwide hit by attempted Ransomware attacks in 2023, surging 33% from previous year, when 1 in every 13 organisations received ransomware attacks Throughout 2023, organizations around the world have each ...
1 year ago Blog.checkpoint.com
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
1 year ago Helpnetsecurity.com
8 Tips on Leveraging AI Tools Without Compromising Security - Forecasts like the Nielsen Norman Group estimating that AI tools may improve an employee's productivity by 66% have companies everywhere wanting to leverage these tools immediately. How can companies employ these powerful AI/ML tools without ...
1 year ago Darkreading.com
Waiting for the BlackCat rebrand - We saw another ransomware operation shut down this week after first getting breached by law enforcement and then targeting critical infrastructure, putting them further in the spotlight of the US government. While the Tor onion domain seizure was a ...
1 year ago Bleepingcomputer.com Medusa Cuba STORMOUS
iClicker hack targeted students with malware via fake CAPTCHA - The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. According to a security alert from the ...
2 weeks ago Bleepingcomputer.com
New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint - A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy the Havok post-exploitation framework for remote access to compromised devices. Threat actors have also begun to evolve the ...
2 months ago Bleepingcomputer.com
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
1 year ago Feeds.fortinet.com 8base
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs - Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang. The 3AM ransomware gang's activity was first ...
1 year ago Bleepingcomputer.com Blacksuit LockBit Threeam
ClickFix attack delivers infostealers, RATs in fake Booking.com emails - Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect hospitality workers with various malware, including infostealers and RATs. In the phishing campaign discovered by ...
2 months ago Bleepingcomputer.com
The Week in Ransomware - Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison. On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich ...
1 year ago Bleepingcomputer.com LockBit BianLian Akira Cactus
Best Ransomware Protection Practices for Midsize Organizations - Ransomware Protection has emerged as a crucial step in cybersecurity since ransomware attacks have become a major threat to businesses of all sizes, including midsize organizations. Ransomware attacks can be delivered via email attachments or links, ...
1 year ago Securityboulevard.com