🔐 Interlock and ransomware as a service: the escalating threat

The ransomware-as-a-service (RaaS) model has changed the game. Interlock is one of the groups most exploiting this system in 2025, affecting businesses and institutions worldwide.

What makes it so dangerous? How does it operate? And what can we do to protect ourselves?

🦠 What is ransomware as a service (RaaS)?

Ransomware -as-a-Service (RaaS) is a criminal model that allows inexperienced attackers to launch ransomware campaigns using platforms already set up by more advanced groups. It’s the cyber equivalent of renting attack tools: developers maintain the malware and infrastructure, while affiliates execute the attacks for a fee.

This has made ransomware more accessible and, therefore, more prevalent. As we explain in our guide to double ransomware extortion, cybercriminals not only encrypt data, but also publicly leak it to pressure their victims. With models like RaaS, these practices are multiplied by hundreds of coordinated attacks.

By 2025, groups like Interlock have embraced this model and are distributing tools to affiliates around the world, achieving massive impact with limited resources.

🔓 How does Interlock work?

The Interlock group has been the subject of an official alert published by CISA, detailing its most recent tactics, techniques, and procedures. This group is characterized by:

• Using social engineering and phishing to gain initial access.
  
• Distribute malware by impersonating legitimate tools such as AnyDesk or Atera.
  
• Compromise both Windows and Linux networks.
  
• Use techniques to circumvent antivirus and EDR software.
  

Once inside the network, Interlock performs lateral movement, exfiltrates data, and encrypts critical files. It then drops a ransom note and threatens to release the data if payment is not made.

This model affects even companies with basic security measures. Therefore, it is essential to implement business data protection that includes network segmentation, access control, and continuous auditing.

🛑 Why is Interlock a bigger threat?

The main difference between Interlock and other groups lies in its industrialized approach. This isn’t a standalone attack, but rather a digital assembly line: affiliates operate in parallel, infecting multiple victims and increasing the parent group’s chances of success.

In addition, they use increasingly difficult to detect methods, such as:

• Remote control software disguised to avoid raising suspicion.
  
• Fileless attacks using PowerShell.
  
• Fast and automated movements once inside the network.
  

If a company doesn’t have offline backups and a contingency plan, the impact can be devastating. That’s why it’s crucial to have services that allow you to recover encrypted files without paying a ransom, safely and quickly, without fueling the criminal ecosystem.

🧩 Official recommendations: how to protect yourself today

CISA’s alert on Interlock not only exposes the danger of the group, but includes immediate actions to mitigate the risk:

• Remove unauthorized remote access tools.
  
• Enable multi-factor authentication (MFA) for all logins.
  
• Monitor logs and detect lateral movements.
  
• Segment the network to limit access between departments.
  
• Periodically test the ability to recover data after a ransomware attack.
  

Additionally, we recommend reviewing our ransomware recovery success stories to understand how to respond in a real-life situation and minimize losses, as many companies have been affected.

🧠 Conclusion: Ransomware is no longer an isolated crime, it’s a global business.

Interlock is just one of many groups exploiting the RaaS model. Its efficiency, reach, and replication capabilities make ransomware one of the most critical threats in today’s digital environment.

At HelpRansomware, we help companies anticipate these attacks with active defense solutions, recovery protocols, and strategic advice.

Because today, the best attack is a good defense.