The FBI has warned US businesses to look out for “drive-by download” tactics deployed by the Interlock ransomware attackers in a joint advisory issued Tuesday, as the group increases its attacks in the healthcare industry.

Alongside the Cybersecurity and Infrastructure Security Agency (CISA) and US Health Department, the FBI said Interlock had been seen using drive-by and ClickFix social engineering tactics to gain access to the systems as recently as this June.

It revealed the initial access methods “have previously disguised malicious payloads as fake Google Chrome or Microsoft Edge browser updates, though a cybersecurity company recently reported a shift to payload filenames masquerading as updates for common security software.”

What is Interlock?

Interlock first appeared in September 2024. It has largely targeted healthcare companies, such as Kettering Health and DaVita, but went after the US military supplier National Defence Corporation in May, claiming to have exfiltrated 4.2 terabytes of data.

The FBI's advisory said the financially-motivated Interlock group was notable for its use of a "double extortion method", where the victim's data is both encrypted and exfiltrated and the group can both hold systems hostage and threaten to leak data.

See also: UK told to keep ransomware payments ban clear and supportive

Interlock has also gained attention for the use of the increasingly popular ClickFix tactics, where users unknowingly execute a malicious payload by clicking a fake CAPTCHA pop up that instructs them to copy PowerShell code into Windows Run.

The advisory warned that after gaining access, Interlock actors are known to run remote access trojans (RATs) every time a user logs in, deploying command and control applications such as Cobalt Strike and SystemBC.

It advised "Interlock actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. The actors instruct victims to make ransom payments in Bitcoin."

Protecting against Interlock

Cybersecurity company BlackFog's CEO Darren Williams said the advisory was a reminder of the “living-off-the-land techniques” used by ransomware groups to bypass security defences as they shift away from “smash-and-grab encryption” to stealthy exfiltration.

He advised: “To stay ahead, organizations must focus on outbound data monitoring, maintain visibility across remote access pathways, and enforce least-privilege access.”

The federal agencies added security teams should implement domain name system filtering and web access firewalls to limit dodgy downloads, segment networks to avoid lateral movement by Interlock actors.

It also reiterated the importance of standard cybersecurity measures including strong identity and access management policies, multifactor authentication, and the mitigation of vulnerabilities through patches and regular software updates.

The link has been copied!