Ransomware Interlock Infects: Latest Updates and Analysis

How Interlock Ransomware Infects Healthcare Organizations

Ransomware attacks have reached an unprecedented scale in the healthcare sector, exposing vulnerabilities that put millions at risk. in recent times, UnitedHealth revealed that 190 million Americans had their personal and healthcare data stolen during the Change Healthcare ransomware attack, a figure that nearly doubles the previously disclosed total.

This breach demonstrates just how deeply ransomware can infiltrate critical systems, leaving patient trust and care hanging in the balance.

One of the groups that targets this already fragile sector is the Interlock ransomware group. Known for their calculated and sophisticated attacks, they focus on hospitals, clinics, and other medical service providers.

Interlock Ransomware Group: An Active Threat to Healthcare.

The Interlock ransomware group is a relatively recent but dangerous player in the world of cybercrime, known for employing double-extortion tactics.

This method involves encrypting a victim's data to disrupt operations and threatens to leak sensitive information if ransom demands are not met. Their primary motivation is financial gain, and their methods are tailored to maximize pressure on their targets.

Sophistication: The group uses advanced techniques like phishing, fake software updates, and malicious websites to gain initial access. Persistence: Their ability to remain undetected for long periods amplifies the damage they can cause. Rapid deployment: Once inside a network, they quickly move laterally, stealing sensitive data and preparing systems for encryption. Tailored ransom demands: The group carefully assesses the value of the stolen data to set ransom amounts that victims are likely to pay.

Recent Targets by Interlock Ransomware Group.

In late 2024, Interlock targeted multiple healthcare organizations in the United States, exposing sensitive patient information and severely disrupting operations. Victims included:

Brockton Neighborhood Health Center : Breached in October 2024, with the attack remaining undetected for nearly two months.

: Breached in October 2024, with the attack remaining undetected for nearly two months. Legacy Treatment Services : Detected in late October 2024.

: Detected in late October 2024. Drug and Alcohol Treatment Service: Compromised data uncovered in the same period.

The Interlock ransomware group begins its attack with a strategic and highly deceptive method known as a Drive-by Compromise. This technique allows the group to gain initial access to targeted systems by exploiting unsuspecting consumers, often through carefully designed phishing websites.

The attack starts when the Interlock group either compromises an existing legitimate website or registers a new phishing domain. These sites are carefully crafted to appear trustworthy, mimicking credible platforms like news portals or software download pages. The sites often contain links to download fake updates or tools, which, when executed, infect the user's device with malicious software.

Example: [website]'s interactive sandbox detected a domain flagged as part of Interlock's activity, [website] The latter was designed to trick individuals into downloading malware disguised as legitimate software.

This tactic effectively bypasses the initial layer of user suspicion, but with early detection and analysis, SOC teams can quickly identify malicious domains, block access, and respond faster to emerging threats, reducing the potential impact on business operations.

[website] flagged as part of Interlock's activity inside [website] sandbox.

Equip your team with the tools to combat cyber threats. Get a 14-day free trial and analyze unlimited threats with [website].

Once the Interlock ransomware group breaches initial defenses, the Execution phase begins. At this stage, attackers deploy malicious payloads or execute harmful commands on compromised devices, setting the stage for full control over the victim's network.

Interlock ransomware often disguises its malicious tools as legitimate software updates to deceive consumers. Victims unknowingly launch fake updaters, such as those mimicking Chrome, MSTeams, or Microsoft Edge installers, thinking they are performing routine maintenance. Instead, these downloads activate Remote Access Tools (RATs), which grant attackers full access to the infected system.

Inside [website]'s sandbox session, one of the updaters, [website], is clearly identified within the process tree on the right-hand side, showing its malicious behavior and execution flow.

Fake updater analyzed inside [website] sandbox.

Analysts receive detailed data in a clear and user-friendly format, helping companies improve their threat response workflows, reduce analysis time, and achieve faster and more effective results when fighting against cyber threats.

Decrypted malicious URL inside [website] sandbox.

The next step of the attack is to steal access credentials. These credentials grant attackers the ability to move laterally within the network and further exploit the victim's infrastructure.

The Interlock ransomware group used a custom Stealer tool to harvest sensitive data, including usernames, passwords, and other authentication credentials. , this stolen information was stored in a file named "[website]", which served as a collection point before exfiltration.

Using [website]'s TI Lookup tool, we uncovered that this Stealer was detected on the platform as early as August 2024.

Lateral Movement: Expanding the Foothold.

During the Lateral Movement phase, attackers spread across the network to access additional systems and resources. The Interlock ransomware group relied on legitimate remote administration tools such as Putty, Anydesk, and RDP, often used by IT teams but repurposed for malicious activities.

Data Exfiltration: Extracting Stolen Information.

In this final stage, attackers exfiltrate stolen data out of the victim's network, often using cloud storage services. The Interlock ransomware group, for instance, leveraged Azure cloud storage to transfer data outside the organization.

Inside the [website] Sandbox we can see how the data is being sent to attacker-controlled servers.

For example, here logs revealed information being transmitted to IP 217[.][website] over port 443 during an Interlock attack.

Data sent by the RAT to attacker-controlled servers revealed by [website].

Proactive Protection Against Ransomware in Healthcare.

The healthcare sector is a prime target for ransomware groups like Interlock, with attacks that jeopardize sensitive patient data, disrupt critical services, and put lives at risk. Healthcare organizations must stay cautious and prioritize cybersecurity measures to protect their systems and data.

Early detection is the key to minimizing damage. Tools like [website] Sandbox allow healthcare teams to identify threats like Interlock early in the attack chain, providing actionable insights to prevent data breaches before they occur.

With the ability to safely analyze suspicious files, uncover hidden Indicators of Compromise (IOCs), and monitor network activity, [website] gives organizations the power to fight back against advanced threats.

Start your free 14-day [website] trial today and give your team the tools to help them stop ransomware threats before they escalate.

Microsoft has released a PowerShell script to help Windows clients and admins modification bootable media so it utilizes the new.

​AMD has released mitigation and firmware updates to address a high-severity vulnerability that can be exploited to load malicious CPU microcode on un......

As the cybersecurity landscape continues to evolve, proactive vulnerability management has become a critical priority for managed service providers (M......

Top 3 Ransomware Threats Active in 2025

You arrive at the office, power up your system, and panic sets in. Every file is locked, and every system is frozen. A ransom demand flashes on your screen: "Pay $2 million in Bitcoin within 48 hours or lose everything."

And the worst part is that even after paying, there's no guarantee you'll get your data back. Many victims hand over the money, only to receive nothing in return, or worse, get hit again.

This isn't a rare case. Ransomware attacks are crippling businesses worldwide, from hospitals and banks to small companies. The only way to stop the damage is by proactively analyzing suspicious files and links before they can be executed.

Below, we break down the top three ransomware families active in 2025: LockBit, Lynx, and Virlock, and find out how interactive analysis helps businesses detect and stop them before it's too late.

LockBit is one of the most notorious ransomware groups, known for its highly efficient encryption, double extortion tactics, and ability to evade traditional security measures. Operating under a Ransomware-as-a-Service (RaaS)model, it enables affiliates to distribute the malware, leading to widespread attacks across various industries.

London Drugs (May 2024): LockBit targeted Canadian retailer London Drugs, forcing the closure of all its locations across Canada. Hackers demanded $25 million, leaking some employee data after the corporation refused to pay.

LockBit targeted Canadian retailer London Drugs, forcing the closure of all its locations across Canada. Hackers demanded $25 million, leaking some employee data after the corporation refused to pay. University Hospital Center, Zagreb (June 2024): Disrupted Croatia's largest hospital, forcing staff to revert to manual operations while attackers claimed to have exfiltrated medical records.

Disrupted Croatia's largest hospital, forcing staff to revert to manual operations while attackers claimed to have exfiltrated medical records. Evolve Bank & Trust (June 2024): Breached sensitive financial data, with hackers falsely claiming to have Federal Reserve information. The attack raised concerns due to Evolve's ties with major fintech firms.

Let's take a closer look at a LockBit ransomware sample inside [website]'s secure sandbox to discover its key behaviors.

File icons changed inside [website] sandbox.

Inside the Interactive Sandbox, we notice the first thing that stands out: file icons changing to the LockBit logo. This is an immediate sign of ransomware infection.

Uncover ransomware tactics in real-time and prevent costly breaches before they happen. Try [website] free for 14 days.

This is followed by a ransom note inside the sandbox, stating that your files have been stolen and encrypted. The message is clear: Pay the ransom, or the data will be .

Ransom note displayed inside secure environment.

On the right side of the screen, we see a detailed breakdown of every process LockBit executes to attack the system.

Process tree demonstrates the behaviors of LockBit.

Detailed breakdown of processes inside Interactive Sandbox.

This type of analysis is essential for businesses as it allows them to understand how ransomware spreads, identify weak points in their security, and take proactive steps to block similar threats before they cause financial and operational damage.

MITRE ATT&CK tactics and techniques detected by [website].

In this case, we see LockBit using several dangerous techniques:

Gaining higher privileges by bypassing security controls.

Extracting stored credentials from files and web browsers.

Scanning the system to gather information before encrypting files.

Encrypting data to lock down critical business operations.

Despite law enforcement actions, LockBit continues to pose a significant threat for 2025. The group's alleged leader, known as LockBitSupp, has warned of new ransomware attacks launching this February. This means businesses cannot afford to let their guard down.

Lynx: The Rising Threat to Small and Mid-Sized Businesses.

Lynx is a relatively new ransomware group that surfaced in mid-2024 and quickly built a reputation for its highly aggressive approach. Unlike larger ransomware gangs that focus on corporate giants, Lynx deliberately goes after small and mid-sized businesses across North America and Europe, taking advantage of weaker security measures.

Their strategy relies on double extortion. They don't just encrypt files but also threaten to leak stolen data on both public websites and dark web forums if victims refuse to pay. This forces businesses into an impossible choice: pay the ransom or risk having confidential data, financial details, and customer records exposed online.

In mid-January 2025, Lynx targeted Lowe Engineers, a prominent civil engineering firm based in Atlanta, Georgia. The attack led to the exfiltration of sensitive data, including confidential project information and client details. Given the firm's involvement in critical infrastructure projects, this breach raised significant concerns about potential impacts on federal and municipal contracts.

Thanks to [website]'s Interactive Sandbox, we can analyze the full attack chain of Lynx ransomware in a controlled virtual environment, without risking real systems.

The moment we upload and launch the malicious executable file in [website]'s cloud-based sandbox, the ransomware immediately starts encrypting files and changes their extensions to .LYNX.

The Files Modification tab provides the changes of file system activity.

Shortly after, a ransom note appears, and the desktop wallpaper is replaced with an extortion message directing victims to a TOR site, where attackers demand payment.

Lynx ransomware changing the wallpaper inside [website] sandbox.

Inside the [website] sandbox, we can manually open the [website] dropped by Lynx to view the ransom message exactly as a victim would.

The ransom note includes .onion links that direct victims to the attackers' communication portal.

In the MITRE ATT&CK section, we get a clear breakdown of Lynx's tactics and techniques, revealing how it operates:

MITRE ATT&CK tactics and techniques used by Lynx ransomware.

Encrypting files to lock critical business data.

Renaming files to mimic other ransomware strains.

Querying the registry to scan for system details and security software.

Reading CPU information to assess the target environment.

Checking software policies to determine security settings before proceeding.

Virlock: A Self-Replicating Ransomware That Won't Die.

Virlock is a unique ransomware strain that first emerged in 2014. Unlike typical ransomware, Virlock not only encrypts files but also infects them, turning each into a polymorphic file infector. This dual capability allows it to spread rapidly, especially through cloud storage and collaboration platforms.

In recent analyses, Virlock has been observed spreading stealthily via cloud storage and collaboration apps. When a user's system is infected, Virlock encrypts and infects files, which are then synced to shared cloud environments.

Collaborators who access these shared files inadvertently execute the infected files, leading to further spread within the organization.

Let's analyze Virlock's behavior using a real-time sample inside [website]'s sandbox.

Just like LockBit and Lynx, Virlock drops a ransom note upon execution. However, this time, it demands payment in Bitcoin, a common tactic among ransomware operators.

In this specific sample, Virlock asks for the equivalent of $250 in Bitcoin, threatening to permanently delete files if the ransom isn't paid.

Interestingly, the ransom note doesn't just demand payment. It also includes a guide on Bitcoin, explaining what it is and how victims can acquire it for payment.

Ransom note demanding BitCoin left by Virlock.

During execution, [website] detects several malicious activities, revealing how Virlock operates:

Behavior of Virlock ransomware analyzed by Interactive Sandbox.

A Virlock-specific mutex is identified, helping the malware ensure only one instance runs at a time to avoid interference.

Virlock executes commands through batch (.bat) files, launching [website] to perform malicious actions.

The ransomware modifies the Windows registry using REG/[website], likely to establish persistence or disable security functions.

Each sandbox session in [website] automatically generates a detailed study that can be easily shared within a business. These reports are formatted for further analysis, helping security teams collaborate and develop effective strategies to combat ransomware threats in 2025.

Ransomware in 2025: A Growing Threat You Can Stop.

Ransomware is more aggressive than ever, disrupting businesses, stealing data, and demanding millions in ransom. The cost of an attack includes lost operations, damaged reputation, and stolen customer trust.

You can stop ransomware before it locks you out. By analyzing suspicious files in [website]'s Interactive Sandbox, you get real-time insights into malware behavior, without risking your systems.

Try [website] free for 14 days to proactively identify cyber threats to your business before it's too late!

​CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks.......

Ransomware attacks have reached an unprecedented scale in the healthcare sector, exposing vulnerabilities that put millions at risk. in recent times, UnitedH......

The US Cybersecurity & Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities catalog, urging fed......

Ransomware payments fell by 35% in 2024, totalling $813,550,000

Payments to ransomware actors decreased 35% year-over-year in 2024, totaling $[website] million, down from $[website] billion recorded in 2023.

Additionally, only about 30% of victims engaged in negotiations with ransomware actors ended up paying any ransom to them.

These figures are , underlining a significant decline in an otherwise record-breaking year for ransomware.

Specifically, 2024 saw a Fortune 50 firm paying a record $75,000,000 amount to the Dark Angels ransomware group. Moreover, , 2024 was the year with the highest volume of ransomware breaches, counting 5,263 successful attacks.

This is further corroborated by Chainalysis reporting that disclosures on data leak sites increased, suggesting that attackers are struggling to extort payments and increasing their activity to compensate for it.

Comparison between extortion attempts and payments.

The decline in ransomware payments despite increased attacks in 2024 is explained by several key factors, primarily higher victim resistance.

With awareness of risks underpinning ransomware breaches having increased across all industries, entities invest more in cybersecurity, adopt enhanced practices, and implement stronger protection measures.

Additionally, a realization of threat actors' promises to delete stolen data can't be trusted, and due to legal pressure, more organizations are refusing to negotiate. Instead, they would rather absorb the reputational impact and recover their data/systems from backups.

Another dimension that played a key role in the decline is the law enforcement operations targeting ransomware gangs that took place last year. Most notably, the 'Operation Cronos' action that disrupted the most notorious and prolific ransomware group at the time, LockBit.

This, combined with the exit scam of ALPHV/BlackCat, left the space fragmented, with smaller operations failing to fill the void despite RansomHub's relative success.

Ultimately, Chainalysis data reveals that the median payment amounts dropped in 2024 despite the Dark Angels' record, indicating that even when payments were made, they were often negotiated down.

Ransom amounts range for each threat group.

Even for the money that gets into ransomware actors' pockets, things have gotten much more complicated than in past years when cybercriminals had multiple laundering options.

Law enforcement crackdowns on cryptocurrency mixers and exchanges that didn't abide by know-you-customer (KYC) laws have also pressed ransomware actors to look elsewhere.

Chainalysis says mixing services are now being abandoned in favor of cross-chain bridges to obfuscate transactions and evade tracking.

Centralized exchanges remained the primary cash-out method in 2024, with 39% of all ransomware proceeds being passed through them.

Finally, Chainalysis says an increasing number of affiliates opt to hold ransomware proceeds in personal wallets and hesitate to cash out due to fear of getting tracked down and arrested.

The US Cybersecurity & Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities catalog, urging fed......

Privileged Access Management (PAM) has emerged as a cornerstone of modern cybersecurity strategies, shifting from a technical necessity to a critical ......

British-based engineering firm IMI plc has disclosed a security breach after unknown attackers hacked into the corporation's systems.