They Enter as Friends — Attack as Foes: New Ransomware Disguised as Windows Tools
In just one year, the group has hit dozens of major companies — including hospitals.
In just one year, the group has hit dozens of major companies — including hospitals.
A surge of cyberattacks has been recorded in the U.S., involving a group known as Interlock, which uses double extortion tactics to target companies and critical infrastructure. This was reported in a joint alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), FBI, Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The report includes updated indicators of compromise (IOCs) from incidents investigated as recently as June 2025. In addition to technical details, it outlines the attackers’ latest methods and provides actionable defense recommendations.
Interlock is a relatively new threat actor — its first known attacks occurred in September 2024. Since then, it has expanded globally and hit organizations across multiple industries. The healthcare sector has been particularly affected, likely due to its heavy reliance on continuous digital operations.
Previously, Interlock was linked to ClickFix attacks, where hackers disguised malware as legitimate IT tools to gain initial access to corporate networks. They have also been associated with the deployment of NodeSnake malware in the IT systems of UK universities.
Recent victims include major U.S. healthcare providers. Notably, DaVita — a Fortune 500 company specializing in kidney care — was attacked, with hackers claiming the theft and publication of 1.5 terabytes of internal data. Another target was Kettering Health, a large medical network with over 120 outpatient facilities and a staff of more than 15,000.
The FBI highlighted unusual tactics used by Interlock. In some cases, malware was delivered through drive-by downloads — via infected but seemingly legitimate websites. This method is rare among ransomware groups and makes detection more difficult.
Interlock typically uses a double extortion model: first, it exfiltrates sensitive data, and then encrypts local files. Victims are pressured to pay ransom not only for decryption but also to prevent public exposure of their data.
In July, researchers observed a new tactic dubbed "FileFix", based on social engineering. It leverages trusted Windows interfaces like File Explorer and HTA files (HTML Applications) to convince victims to run malicious PowerShell or JavaScript scripts — with no security warnings. This allows remote access to the system and further spread of malware.
To mitigate infection and extortion risks, organizations are advised to:
- Implement DNS filtering and web firewalls;
- Train staff to recognize phishing and social engineering;
- Regularly update all IT components, including OS and firmware;
- Segment networks to limit lateral movement after a breach;
- Enforce identity and access management (ICAM) policies, especially mandatory multi-factor authentication for all internal and external services.
This campaign is a stark reminder that even legitimate-looking tools can serve as entry points for highly coordinated ransomware operations.
