Ethical Hacking News
Interlock ransomware has shifted its tactics towards a stealthier method called "FileFix," which relies on tricking users into executing malicious code without displaying security warnings. This shift is likely to gain popularity as threat actors explore new attack methods, and cybersecurity professionals must stay vigilant to recognize this tactic and protect themselves from potential attacks.
Interlock ransomware has adopted the "FileFix" technique, a social engineering attack method that tricks users into executing malicious code without displaying security warnings. The FileFix variation of ClickFix allows attackers to weaponize trusted Windows UI elements, bypassing traditional security measures. Targets are tricked into executing malicious PowerShell or JavaScript code by pasting a copied string into File Explorer's address bar. Interlock ransomware is capable of gathering sensitive information and adapting its tactics to evade detection. The shift towards FileFix indicates that Interlock ransomware is quick to adapt to stealthier attack methods, making it essential for defenders to stay informed and up-to-date on the latest threat intelligence.
Interlock ransomware, a notorious actor in the world of cybercrime, has been making headlines lately due to its strategic shift towards an even stealthier method of delivery. Researchers at The DFIR Report and Proofpoint have observed that Interlock has adopted the "FileFix" technique, a social engineering attack method that relies on tricking users into executing malicious code without displaying any security warnings.
The FileFix variation of ClickFix, a tactic that gained popularity over the past year, is an evolution of the original ClickFix method. This new approach allows attackers to weaponize trusted Windows UI elements, such as File Explorer and HTML Applications (.HTA), to bypass traditional security measures. Users are tricked into executing malicious PowerShell or JavaScript code by pasting a copied string into File Explorer's address bar, disguised to look like a file path using comment syntax.
The recent Interlock attacks have shown that targets are asked to paste a command disguised with a fake file path onto File Explorer, leading to the downloading of the PHP RAT from 'trycloudflare.com' and its execution on the system. Post-infection, the RAT executes a series of PowerShell commands to gather system and network information and exfiltrates this data as structured JSON to the attacker.
The DFIR Report also mentions evidence of interactive activity, including Active Directory enumeration, checking for backups, navigating local directories, and examining domain controllers. This level of interaction suggests that Interlock ransomware is not only capable of gathering sensitive information but also adapting its tactics to evade detection.
Interlock ransomware launched in September 2024, claiming notable victims like Texas Tech University, DaVita, and Kettering Health. The ransomware operation leveraged ClickFix to infect targets, but its pivot to FileFix indicates that the attacker is quick to adapt to stealthier attack methods.
This shift towards FileFix is likely to gain more popularity as threat actors explore ways to incorporate it into their attack chains. As a result, cybersecurity professionals and individuals must be vigilant in recognizing this new tactic and taking steps to protect themselves from potential Interlock ransomware attacks.
The rise of FileFix highlights the ongoing cat-and-mouse game between cyber attackers and security researchers. As new tactics emerge, it is essential for defenders to stay informed and up-to-date on the latest threat intelligence to mitigate these risks.
In light of this evolving threat landscape, it is crucial that individuals and organizations prioritize cybersecurity measures, such as regular software updates, robust antivirus solutions, and secure data backup practices. By doing so, they can significantly reduce their exposure to FileFix-based attacks and protect themselves from potential Interlock ransomware infections.
Related Information:
https://www.ethicalhackingnews.com/articles/Interlock-Ransomwares-Stealthy-Shift-to-FileFix-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://www.bleepingcomputer.com/news/security/interlock-ransomware-adopts-filefix-method-to-deliver-malware/
Published: Mon Jul 14 14:04:15 2025 by llama3.2 3B Q4_K_M
