MOXFIVE assisted in responding to some of the earliest known INTERLOCK ransomware incidents, providing key insight into the tactics and operations observed in these attacks. Over time, multiple shifts in tactics, techniques, and procedures (TTPs) have been identified in INTERLOCK-related activity. In a recent case, a Java-based backdoor was deployed, marking a notable evolution in the tools used.

While Java-based tools have appeared in previous incidents, this finding suggests a broader strategic shift—expanding beyond ransomware deployment to include alternative access mechanisms. Alongside the backdoor, analysis confirmed the presence of a PowerShell-based RAT, reinforcing a pattern of remote access tools being used to establish and maintain control over victim environments before the INTERLOCK ransomware execution.

Before diving into these latest developments, let’s revisit MOXFIVE’s initial research into the early operations behind INTERLOCK ransomware.
‍
Early Insights into INTERLOCK Ransomware
MOXFIVE first observed INTERLOCK ransomware attacks in September 2024, with initial activity primarily impacting the Healthcare sector. Since then, these operations have expanded to target organizations in Financial Services, Government, Technology, and Education industries.

Initial Observations: MOXFIVE Threat Actor Alert – INTERLOCK Ransomware

Key Changes in INTERLOCK's Tactics
Since our initial research, INTERLOCK ransomware operations have evolved, incorporating the following TTPs:

• Initial Access Expansion: Added fake software updates as a malware delivery method alongside phishing.
• Increased Persistence Mechanisms: Leveraged scheduled tasks, startup folder modifications, and registry edits to maintain access.
• Data Exfiltration via AzCopy:  Used legitimate Microsoft tools that enable data transfers to and from cloud storage. This use of AZCopy is less likely to trigger alerts.
• Use of Remote Access Tools:  Leveraged PowerShell-based RATs, along with legitimate remote administration tools like PuTTY and AnyDesk, to establish and maintain access within victim environments.

Expanding Remote Access & ESXi Targeting
In a recent case, MOXFIVE observed INTERLOCK ransomware operators deploying a Java-based backdoor, marking a shift in their remote access and persistence tactics. This incident also involved a PowerShell-based RAT, reinforcing the group’s usage of multiple access mechanisms to maintain control over compromised environments.

As the attack progressed, Active Directory credentials were stolen, scheduled tasks and registry modifications were used for persistence, and data was exfiltrated via AzCopy. In the later stages, plink.exe was leveraged to access ESXi servers, leading to ransomware execution across virtualized infrastructure.

The incident unfolded over the course of a week, progressing through the following stages:

Breakdown of the Attack
‍
Stage 1: Initial Access & Reconnaissance‍

• A Remote Desktop Protocol (RDP) session was observed on a compromised system.
• A PowerShell-based RAT was executed, enabling network reconnaissance, credential theft, and lateral movement.

Stage 2: Credential Theft & Privilege Escalation

• Active Directory credentials were stolen, granting attackers privileged access to the environment.

Stage 3: Establishing Persistence

• A Java-based backdoor was deployed, providing an additional access mechanism.
• New backdoors, scheduled tasks, and registry modifications were introduced to maintain long-term access.

Stage 4: Data Theft & Ransomware Execution

• Data Exfiltration: Attackers used AzCopy to transfer stolen files to external infrastructure.
• Ransomware Deployment & ESXi Targeting: Encryption was launched across multiple systems, including ESXi servers, using plink.exe for remote execution.

‍
MOXFIVE is continuing to monitor INTERLOCK and will continue to update this page if new information emerges. If you need assistance with a current incident, please contact us at 833-568-6695 or email our team at incident@moxfive.com.