Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Interlock

160
Global rank
148 infographic chevron month
Month rank
166 infographic chevron week
Week rank
0
IOCs

Interlock is a relatively recent entrant into the ransomware landscape. First identified in 2023, it's a multi-functional malware strain used in ransomware-as-a-service (RaaS) operations.

Ransomware
Type
Unknown
Origin
1 October, 2023
First seen
19 June, 2026
Last seen

How to analyze Interlock with ANY.RUN

Type
Unknown
Origin
1 October, 2023
First seen
19 June, 2026
Last seen

IOCs

IP addresses
167.235.234.45
23.227.203.12
165.245.130.101
178.32.224.221
149.56.95.167
213.232.236.139
144.202.41.73
23.227.202.6
91.99.97.247
23.227.202.246
192.169.6.74
185.28.119.10
213.139.77.167
23.227.202.84
51.222.96.58
95.169.180.113
185.233.166.26
69.169.109.132
151.241.99.169
38.132.122.155
Domains
allegrolokalne.conformation-317.shop
allegro.conformation-318.shop
olx.conformation-316.shop
conformation-318.shop
venturepointnet88.sbs
conformation-319.shop
allegro.conformation-314.shop
allegro.pl-smart91275332.cfd
vinted.conformation-319.shop
xn--albilet-b9a.conformation-318.shop
conformation-314.shop
vinted.conformation-314.shop
aiebilet.dostw-126.shop
allegro.conformation-319.shop
alebilet.dostw-133.shop
vinted.dostw-123.shop
allegrolokainie.dostw-126.shop
dostw-103.shop
vinted.conformation-316.shop
allebilet.conformation-316.shop
Last Seen at

Recent blog posts

post image
Hidden Infrastructure Exposed: ANY.RUN Reveal...
watchers 4232
comments 0
post image
​​Kratos PhaaS Targets US and EU: How to Redu...
watchers 8849
comments 0
post image
US Threat Landscape Alert: 30 Active Malware...
watchers 7132
comments 0

What is Interlock malware?

Interlock is a modular ransomware tool that enables hackers to lock and encrypt files, exfiltrate data, and demand ransoms in double extortion schemes. It targets both Windows and Linux systems, with 64-bit executables (Windows PE and Linux ELF formats).

Interlock gained attention for its stealth and customizability, starting from targeting small and midsize enterprises with limited cybersecurity maturity and proceeding to industry leaders for really big ransoms. Healthcare organizations are another common victim of Interlock.

Discover detailed investigation into Interlock attacks on U.S. hospitals and healthcare providers.

Like many modern malware strains, Interlock leverages common but effective attack vectors. Adversaries send malicious attachments or links in well-crafted spear phishing messages, sometimes including QR codes or cloud-sharing links to bypass email filters. They exploit vulnerabilities, purchase credentials from initial access brokers and employ malvertising — drive-by downloads from fake ads or compromised legitimate websites.

Upon a successful infiltration, Interlock exploits active directory misconfigurations and uses PowerShell, WMI, and RDP for lateral movement within the network. Having established itself in the system, it dumps credentials from memory, exfiltrates data before encryption (double extortion), encrypts data with strong algorithms (often AES or ChaCha20) and greets the victim with a customized ransom note. Optionally, Interlock can recruit keyloggers, browser data collectors, and screenshot capturing.

The malware affects both Windows and Linux environments, with binaries tailored for each, indicating broad compatibility and intent to hit diverse infrastructures. It may use scheduled tasks or registry modifications to maintain access, ensuring it can resume operations after a reboot.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Interlock Ransomware’s Prominent Features

Interlock poses significant risks due to its:

  • Sector Impact: Healthcare and government sectors are particularly vulnerable due to their reliance on uptime and data confidentiality. Disruptions can lead to life-threatening delays or exposure of classified information.
  • Big-Game Hunting: Interlock targets high-value organizations, demanding large ransoms, but can also cripple smaller entities or those with limited cybersecurity budgets.
  • Broad Targeting: Its ability to hit both Windows and Linux systems makes it a threat to diverse environments, from enterprise servers to critical infrastructure.
  • Double-Extortion Strategy: The threat of data leaks amplifies financial and reputational damage, especially for organizations handling sensitive data.
  • Persistence: Its ability to maintain access increases the risk of repeated attacks or secondary payloads.

Interlock is notable for deploying a rare FreeBSD encryptor, aiming at critical infrastructure servers (e.g., web hosting, mail servers). While specific FreeBSD attacks are not yet detailed, this capability suggests potential for broader disruption in future incidents.

Interlock’s Execution Process and Technical Details

To watch Interlock enforce its varying attack scenarios, search for this malware via ANY.RUN’s Threat Intelligence Lookup and explore the analyses of its samples publicly submitted in the Interactive Sandbox.

threatName:"interlock"

Interlock ransomware samples in ANY.RUN Sandbox Interlock ransomware analyses in ANY.RUN's Interactive Sandbox

Let’s watch one of the analysis sessions closer

The execution chain of Interlock ransomware unfolds in several stages, employing both deception and sophisticated tools to compromise and extort victims. It typically begins with a drive-by compromise, where users are tricked into visiting phishing websites that appear legitimate. These sites offer fake updates or tools, which, once downloaded, infect the user’s device with malware. For example, malicious software might be disguised as a legitimate update for a popular application such as Chrome or Microsoft Edge. In one observed instance, the executable file was named upd_9488679.exe, where upd is short for “update,” although it can also appear under names like Update or ChromeSetup.

Once inside the system, attackers may deploy malicious payloads or execute harmful commands to take full control of the victim’s network. Prior to encryption, they often exfiltrate sensitive data as part of a double extortion strategy, threatening not only to encrypt the data but also to release the stolen information publicly if the ransom is not paid.

Next, the Interlock ransomware encryptor is deployed, appending the .interlock extension to files and dropping a ransom note titled !README!.txt in affected directories. This note typically provides instructions on how to contact the attackers and pay the ransom. The reliance on double extortion further pressures victims, who risk losing both access to their data and control over the disclosure of sensitive information.

Following its main functions, the ransomware may erase Windows event logs to conceal evidence of its activities. It can also delete its own binary after encryption, further complicating forensic analysis and recovery efforts.

Interlock ransomware analysis in ANY.RUN A sample of Interlock detonated inside ANY.RUN's Interactive Sandbox

What are the examples of the best-known Interlock attacks?

  • Wayne County, a government entity in Michigan, was hit by Interlock in early October 2024. The breach disrupted local government operations, potentially affecting public services. Interlock demanded a ransom, reportedly ranging from hundreds of thousands to millions of dollars, though it’s unclear if the ransom was paid.
  • Brockton Neighborhood Health Center was breached by Interlock, with the attack going undetected until December 17, 2024. Attackers used a fake Google Chrome updater to gain initial access, deploying a remote access tool (RAT) to exfiltrate sensitive patient data and encrypt files. The delayed detection allowed Interlock to maintain persistence for nearly two months.
  • Interlock claimed responsibility for attacking Andretti Indoor Karting & Games — a U.S. entertainment chain — in March 2025, alleging they stole 1.2 TB of data, including W-9 forms, financial records, and passports. The attack led to a temporary closure of multiple locations. This attack showed Interlock’s willingness to target non-critical sectors like entertainment, broadening their victim pool.

Gathering Threat Intelligence on Interlock malware

Integrating threat intelligence into security operations is much more efficient than paying huge ransoms to Interlock operators or dealing with devastating aftermath of data loss and leaks. Focus on TTPs (tactics, techniques, procedures) shared by TI reports, such as phishing, scheduled tasks to anticipate attack vectors.

Leverage ANY.RUN’s Threat Intelligence Lookup to hunt for IOCs specific to Interlock, like domains, IPs, or file hashes.

Each analysis session in the Sandbox contains a number of IOCs. Use them as search requests to TI Lookup for further exploring the threat and gathering data for monitoring and detection.

Interlock malicious files Files found in an Interlock sample during Sandbox analysis

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Interlock is a young ransomware market player yet already notorious for its big ransom appetites, opportunistic targeting across various sectors, and sophisticated tactics to infiltrate systems, exfiltrate data, and disrupt operations. The group's activities have had significant impacts on the affected organizations, leading to operational downtime, data breaches, and potential financial losses.

To avoid becoming the next victim, reinforce your proactive cybersecurity efforts with actionable data brough to you by threat intelligence.

Start with 50 requests in TI Lookup to collect IOCs on Interlock and be ready to detect and respond

HAVE A LOOK AT

FatalRAT screenshot
FatalRAT
fatalrat
FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region.
Read More
Salty 2FA screenshot
Salty 2FA
salty2fa
Salty 2FA is a sophisticated Phishing-as-a-Service (PhaaS) framework tailored to hijack user sessions, steal credentials, and gain unauthorized access to corporate systems. Delivered primarily via targeted emails, this kit employs multi-stage evasion tactics, making it a stealthy tool for cybercriminals aiming at high-value enterprise accounts.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More
Phobos screenshot
Phobos
phobos ransomware
Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.
Read More
DarkGate screenshot
DarkGate
darkgate
DarkGate is a loader, which possesses extensive functionality, ranging from keylogging to crypto mining. Written in Delphi, this malware is known for the use of AutoIT scripts in its infection process. Thanks to this malicious software’s versatile architecture, it is widely used by established threat actors.
Read More
ValleyRAT screenshot
ValleyRAT
valleyrat
ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group.
Read More