- Filefix is a new technique for deploying malicious software, born of clickfix
- It works by encouraging users to stick commands in File Explorer
- The resulting compromise leads to locking encryptors
The Display Technology of Dreaded Malventy Software Clickfix has evolved and the new variant – lined “Filefix” – is used in ransomware attacks.
Clickfix is a technique in which the victims are presented with a false problem (for example, a false Captcha, or a false infection alert by the virus), then provided a fix. This “corrective” generally revolves around the collage of an order in the Run Windows program which was copied in the clipboard via JavaScript of the Compromise website.
The order, in most cases, is to download and execute a part of malware.
Locking ransomware
Now FileFix is based on this foundation. Instead of sticking orders in Run, the victims are invited to stick a chain copied in the address bar of Explorer. Thanks to the comments syntax, the chain looks like a file path but is, in fact, a PowerShell command.
In some attacks that researchers have identified in the wild, the execution of this command via Explorer file offers a variant based on PHP of Trojan (RAT) based on PHP.
This rat runs a certain number of different orders, in particular the collection of system and network information. He also lists Active Directory, checks backups, navigates in local directories and examines domain controllers. Ultimately, the rat can deploy the Ransomware locking inch.
Interlock appeared for the first time at the end of September 2024, with public detection in November 2024. He drew attention to his new FreeBSD targeting encryptors alongside Windows variants.
Among its most notable victims are Wayne County, Michigan, Texas Tech University Health Sciences Center, Heritage Bank & McCormick – Priore and Kettering Health.
It is known to use the standard double exposure tactics, exfiltrating sensitive business files before encrypting systems.
In mid-2025, Interlock claimed around 14 known attacks, around a third of health care. This change in delivery tactics suggests that ransomware is actively developed and that it will continue to build a major threat to organizations around the world.
Via Bleeping Compompute
