Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.
Summary: The FBI, CISA, the Department of Health and Human Services (HHS), and MS-ISAC are releasing this joint advisory to disseminate known Interlock ransomware IOCs and TTPs identified through FBI investigations (as recently as June 2025) and trusted third-party reporting. The Interlock ransomware variant was first observed in late September 2024, targeting various businesses, critical infrastructure, and other organizations in North America and Europe. The FBI has observed Interlock actors obtaining initial access via drive-by download from compromised legitimate websites (uncommon method among ransomware groups) and using ClickFix social engineering techniques. Interlock actors employ double extortion tactics in their attacks in which actors encrypt systems after exfiltrating data.
Analyst Note: Recent research by Coveware, a cybersecurity company specialized in ransomware and data recovery, shows how social engineering tactics as an intrusion vector are growing in popularity among ransomware actors. Coveware notes that just a few years ago, Scattered Spider was arguably the only extortion group using such tactics successfully and at scale. Today, as this Joint CSA also indicates, social engineering is being used among many ransomware groups as a premier tactic to obtain initial access.
This joint CSA includes downloadable IOCs and mitigation recommendations to aid in defending against Interlock ransomware actors and similar groups. Network defenders are encouraged to implement the recommendations in the mitigations section of the advisory to reduce the likelihood and impact of ransomware incidents.
Original Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a
Additional Reading:
Related WaterISAC PIRs: 6, 7, 7.1, 10, 12
