The Interlock ransomware gang now makes use of ClickFix assaults that impersonate IT instruments to breach company networks and deploy file-encrypting malware on gadgets.
ClickFix is a social engineering tactic the place victims are tricked into executing harmful PowerShell instructions on their programs to supposedly repair an error or confirm themselves, ensuing within the set up of malware.
Although this is not the primary time ClickFix has been linked to ransomware infections, affirmation about Interlock reveals an rising development in these kinds of menace actors using the tactic.
Interlock is a ransomware operation launched in late September 2024, concentrating on FreeBSD servers and Home windows programs.
Interlock isn’t believed to function as a ransomware-as-a-service mannequin. Nonetheless, it maintains an information leak portal on the darkish net to extend stress on victims, demanding funds starting from tons of of hundreds of {dollars} to tens of millions.
From ClickFix to ransomware
Previously, Interlock utilized faux browser and VPN shopper updates to put in malware and breach networks.
Based on Sekoia Researcherthe Interlock ransomware gang started using ClickFix assaults in January 2025.
Interlock used not less than 4 URLs to host faux CAPTCHA prompts that inform guests to execute a command on their laptop to confirm themselves and obtain a promoted software.
The researchers say they detected the malicious captcha on 4 totally different websites, mimicking Microsoft or Superior IP Scanner portals:
microsoft-msteams(.)com/additional-check.html
microstteams(.)com/additional-check.html
ecologilives(.)com/additional-check.html
advanceipscaner(.)com/additional-check.html
Nevertheless, solely the location impersonating Superior IP Scanner, a preferred IP scanning software generally utilized by IT employees, led to downloading a malicious installer.
Web page internet hosting Interlock’s ClickFix bait
Supply: Sekoia
Clicking the ‘Repair it’ button copies the malicious PowerShell command to the sufferer’s clipboard. If executed in a command immediate or Home windows Run dialog, it is going to obtain a 36MB PyInstaller payload.
On the identical time, the respectable AdvanceIPScanner web site opens in a browser window to scale back suspicion.
The malicious payload installs a respectable copy of the software program it pretends to be and concurrently executes an embedded PowerShell script that runs in a hidden window.
This script registers a Run key in Home windows Registry for persistence after which collects and exfiltrates system data together with OS model, consumer privilege degree, operating processes, and out there drives.
Sekoia has noticed the command and management (C2) responding with varied payloads, together with LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT.
The latter is an easy trojan that may be dynamically configured, supporting file exfiltration, shell command execution, and operating malicious DLLs.
Instructions Interlock RAT helps
Supply: Sekoia
After the preliminary compromise and RAT deployment, Interlock operators used stolen credentials to maneuver laterally through RDP, whereas Sekoia additionally noticed PuTTY, AnyDesk, and LogMeIn utilized in some assaults.
The final step earlier than the ransomware execution is information exfiltration, with the stolen information uploaded to attacker-controlled Azure Blobs.
The Home windows variant of Interlock is about (through a scheduled activity) to run each day at 08:00 PM, however because of file extension-based filtering, this does not trigger a number of layers of encryption however serves as a redundancy measure.
Sekoia additionally stories that the ransom be aware has advanced, too, with the most recent variations focusing extra on the authorized side of the info breach and the regulatory penalties if stolen information is made public.
Interlock’s newest ransom be aware
Supply: BleepingComputer
ClickFix assaults have now been adopted by a variety of menace actors, together with different ransomware gangs and North Korean hackers.
Final month, Sekoia found that the notorious Lazarus North Korean hacking group was utilizing ClickFix assaults concentrating on job seekers within the cryptocurrency trade.
