{
	"id": "a3d24be3-6f67-4d6a-bd88-4e406b7502b1",
	"created_at": "2026-04-06T00:16:31.430106Z",
	"updated_at": "2026-04-10T03:21:20.499759Z",
	"deleted_at": null,
	"sha1_hash": "264114d6bf49f0f653117adcd34fd0c89ccf42be",
	"title": "Ransomware Roundup - Interlock | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62812,
	"plain_text": "Ransomware Roundup - Interlock | FortiGuard Labs\r\nPublished: 2024-11-29 · Archived: 2026-04-05 12:53:29 UTC\r\nFortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our\r\ndatasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights\r\ninto the evolving ransomware landscape and the Fortinet solutions that protect against those variants.\r\nThis edition of the Ransomware Roundup covers the Interlock ransomware.\r\nAffected platforms: Microsoft Windows, FreeBSD\r\nImpacted parties: Microsoft Windows and FreeBSD users\r\nImpact: Encrypts victims' files and demands ransom for file decryption\r\nSeverity level: High\r\nInterlock Ransomware Overview\r\nInterlock is a new ransomware variant that was first submitted to a publicly available file-scanning site in early\r\nOctober 2024. This could indicate that the ransomware emerged as early as September or even earlier.\r\nThe Interlock ransomware comes in Windows and FreeBSD versions. It encrypts files on victims' machines and\r\ndemands a ransom to decrypt them via dropped ransom notes.\r\nInfection Vector\r\nWhile the initial infection vector of the Interlock ransomware has not been identified, researcher Sina Kheirkhah\r\n(@SinSinology) reported that a previously unknown backdoor was found on a victim’s machine. It is possible that\r\nthe ransomware was deployed through this backdoor.\r\nAttack Method\r\nWindows Version of Interlock Ransomware\r\nThe Windows version of the ransomware claims to support the following versions of Windows:\r\nWindows Vista\r\nWindows 7\r\nWindows 8\r\nWindows 8.1\r\nWindows 10\r\nThe Interlock ransomware takes the following parameters on execution:\r\n-d, --directory\r\n-f, --file\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock\r\nPage 1 of 6\n\n-del, --delete\r\n-s, --system\r\nOnce executed, the Interlock ransomware encrypts files on victims’ machines and drops a ransom note labeled\r\n“!__README__!.txt”.\r\nFiles encrypted by the Interlock ransomware will have a “.interlock” file extension.\r\nThe ransomware is designed to exclude the following files and filetypes from file encryption:\r\n.bat .bin .cab .cmd .com .cur\r\n.diagcab .diagcfg .diagpkg .drv  .hlp .hta\r\n.ico .msi .ocx .psm1 .scr .sys\r\n.ini Thumbs.db .url .dll .exe .ps1\r\nIt also excludes the following folders from file encryption:\r\n$Recycle.Bin Boot Documents and Settings PerfLogs\r\nProgramData Recovery System Volume Information Windows\r\nIt also creates a scheduled task named \"TaskSystem\":\r\n \r\nschtasks /create /sc DAILY /tn \"TaskSystem\" /tr \"cmd /C cd %s \u0026\u0026 %s\" /st 20:00 /ru system \u003e nul\r\nThe above script creates a new scheduled task, TaskSystem, that runs every day at 20:00 using the System\r\naccount.\r\nFreeBSD Version of the Interlock Ransomware\r\nThe FreeBSD version of the ransomware takes parameters on execution:\r\n-d, --directory\r\n-f, --file\r\n-del, --delete\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock\r\nPage 2 of 6\n\n-s, --system\r\nOnce the ransomware is executed, it encrypts files on victims' machines using the AES-CBC encryption algorithm\r\nand adds an \".interlock\" extension to the encrypted files.\r\nThe ransomware then leaves a text file containing the same ransom note as the Windows version.\r\nThe FreeBSD version of the Interlock ransomware skips files with an “.interlock”  extension from file encryption.\r\nIt also excludes the following directories from file encryption:\r\n/bin /boot /cdrom /dev /etc /home\r\n/lib /lib32 /lib64 /libx32 /lost+found /media\r\n/mnt /opt /proc /run /root /sbin\r\n/snap /srv /sys /tmp /usr /var\r\nIt also avoids encrypting the following file:\r\nboot.cfg\r\nVictimology\r\nAt the time of our investigation, the Interlock ransomware data leak site listed six victims. Five of those were in\r\nthe United States, and the other was in Italy. However, submission data to the publicly available scanning service\r\npotentially shows even broader victim locations. Interlock ransomware samples have been submitted from India,\r\nItaly, Japan, Germany, Peru, South Korea, Turkey, and the United States.\r\nThe victims are in the education, finance, government, healthcare, and manufacturing sectors, indicating that the\r\nInterlock ransomware does not have a policy to avoid targeting essential businesses and organizations, as some\r\nother ransomware groups have.\r\nEach victim has its own page describing the victim’s organization and lists stolen and leaked files.\r\nData Leak Site\r\nThe Interlock ransomware runs its data leak site on TOR, which is divided into the following four sections:\r\nHome\r\nAbout – contains an FAQ\r\nDATA LEAK – includes a list of victims\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock\r\nPage 3 of 6\n\nHelp – includes contact information\r\nFortinet Protections\r\nThe Interlock ransomware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nW32/Kryptik.HXUY!tr.ransom\r\nLinux/Filecoder_InterLock.A!tr\r\nW64/GenKryptik.HCFC!tr\r\nW64/Filecoder_Rhysida.D!tr\r\nW32/PossibleThreat\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each solution, so customers with these products have up-to-date protection.\r\nIOCs\r\nInterlock Ransomware File IOCs\r\n SHA2 Note\r\na26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642\r\nInterlock ransomware\r\n(Windows version)\r\n28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f\r\nInterlock ransomware\r\n(FreeBSD version)\r\ne86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1\r\nf00a7652ad70ddb6871eeef5ece097e2cf68f3d9a6b7acfbffd33f82558ab50e\r\nIOCs of the backdoor malware reported by Sina Kheirkhah (@SinSinology)\r\nSHA2 Note\r\ne9ff4d40aeec2ff9d2886c7e7aea7634d8997a14ca3740645fd3101808cc187b Backdoor malware allegedly\r\nfound on the Interock\r\nransomware victim’s machine\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock\r\nPage 4 of 6\n\n7d750012afc9f680615fe3a23505f13ab738beef50cd92ebc864755af0775193\r\n6933141fbdcdcaa9e92d6586dd549ac1cb21583ba9a27aa23cf133ecfdf36ddf\r\nFortiGuard Labs Guidance\r\nIt is vital to keep all AV and IPS signatures up to date due to the ease of disruption, damage to daily operations,\r\npotential impact on an organization’s reputation, and unwanted destruction or release of personally identifiable\r\ninformation (PII).\r\nSince the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet\r\nsolutions designed to train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance against phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nOur FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end\r\nusers learn about today's threat landscape and will introduce basic cybersecurity concepts and technology.\r\nOrganizations will need to make foundational changes to the frequency, location, and security of their data\r\nbackups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with\r\ndigital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks\r\ncan come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices;\r\nadvanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware\r\nmid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and\r\nresources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a\r\nsuccessful ransomware attack.\r\nAs part of the industry's leading fully integrated Security Fabric, Fortinet delivers native synergy and automation\r\nacross your security ecosystem. It also provides an extensive portfolio of technology- and human-based as-a-service offerings powered by our global FortiGuard team of seasoned cybersecurity experts.\r\nFortiRecon is a SaaS-based Digital Risk Prevention Service backed by cybersecurity experts. It provides unrivaled\r\nthreat intelligence on the latest threat actor activity across the dark web, enabling a rich understanding of threat\r\nactors’ motivations and TTPs. The service can detect evidence of attacks in progress, allowing customers to\r\nrespond rapidly to and shut down active threats.\r\nBest Practices Include Not Paying a Ransom\r\nOrganizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom\r\npartly because the payment does not guarantee that files will be recovered. According to a US Department of\r\nTreasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock\r\nPage 5 of 6\n\ntarget additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit\r\nactivities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a\r\nRansomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes\r\nComplaint Center (IC3).\r\nHow Fortinet Can Help\r\nFortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is\r\ndetected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a\r\ncyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop\r\nexercises).\r\nAdditionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what\r\nadversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and\r\nsignificantly reduce the risk, time, and cost of later-stage threat mitigation.\r\nSource: https://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock"
	],
	"report_names": [
		"ransomware-roundup-interlock"
	],
	"threat_actors": [],
	"ts_created_at": 1775434591,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/264114d6bf49f0f653117adcd34fd0c89ccf42be.pdf",
		"text": "https://archive.orkl.eu/264114d6bf49f0f653117adcd34fd0c89ccf42be.txt",
		"img": "https://archive.orkl.eu/264114d6bf49f0f653117adcd34fd0c89ccf42be.jpg"
	}
}