Interlock Ransomware Threat: Joint CISA-FBI Advisory + SCYTHE Emulation

On July 22, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory addressing a rapidly evolving ransomware threat: Interlock Ransomware.

This advisory is part of a broader push to bolster critical infrastructure resilience in the face of increasingly targeted and financially motivated ransomware campaigns that leverage a blend of sophisticated delivery mechanisms, extortion tactics, and novel infrastructure.

Who is Interlock Ransomware?

Interlock is a ransomware adversary focused on financial gain through double extortion — not only encrypting victim data but also threatening to leak it if ransom demands aren’t met.

According to the threat model (see below), Interlock exhibits these key tactics and capabilities:

• Ransomware deployment for financial extortion
• Double extortion schemes, leveraging public shaming or leak threats
• ClickFix, a technique to exploit vulnerable browser sessions via malicious redirects
• Drive-by compromise using decoy infrastructure or laced content

Primary targets include:

• Critical infrastructure
• Healthcare organizations
• Educational institutions
• Manufacturing and industrial operations

Geographically, victims are primarily located in the United States and Europe, with observed activity aligning with sectors that have limited downtime tolerance and often weak segmentation or legacy systems.

Infrastructure & Indicators of Compromise (IOCs)

Recent FBI investigations have uncovered active Interlock infrastructure, including:

Domains leveraging Cloudflare's temporary tunneling service:

• existed-bunch-balance-council[.]trycloudflare[.]com
• ferrari-rolling-facilities-lounge[.]trycloudflare[.]com
• ranked-accordingly-ab-hired[.]trycloudflare[.]com ...and others

Suspicious IPs and subnets:

• 64[.]95[.]12[.]71
• 184[.]95[.]51[.]165

Malware Hashes:

• 8afd6c0636c5d70ac0622396268786190a428635e9cf28ab23add939377727b0 (config.cfg)
• 28a9982cf2b4fc53a154b6ed0d0c1788ca9369a847750f5652ffa0ca7f7b7d3 (config.cfg)

These IOCs are tied to initial access payloads and configuration files that facilitate further lateral movement, credential harvesting, and data staging.

Recommendations from the Advisory

The advisory emphasizes a multi-layered defense strategy. Key recommended actions include:

1. Block Initial Access Vectors:
2. Patch and Harden Systems:
3. Implement Strong Identity Controls:
4. Segment Networks:

Emulate Interlock Ransomware in SCYTHE

Want to see how your blue team stacks up against Interlock’s real-world tactics, techniques, and procedures (TTPs)?

We've modeled Interlock Ransomware behaviors in SCYTHE, including:

• Simulated ransomware deployment
• C2 beaconing to .trycloudflare infrastructure.
• Credential access and lateral movement
• Indicators of compromise based on the latest FBI and CISA data

This emulation gives defenders the opportunity to:

• Validate detections in your SIEM/XDR
• Test endpoint controls and network segmentation.
• Train your team against a live, mapped adversary.
• Measure effectiveness across MITRE ATT&CK techniques.

Perfect for purple team exercises, tabletop simulations, or SOC readiness testing.

Interlock is just one example of how ransomware continues to evolve, combining stealthy initial access, evasive infrastructure, and aggressive extortion tactics. Joint advisories like this help the community stay ahead, but emulating the threat in your own environment is what brings defense to life.

If you’re serious about resilience, detection, and readiness, now is the time to test your defenses against Interlock.