Ransomware Trends & Data Insights: May 2025

Interlock

The Interlock ransomware group emerged in September 2024 and has targeted both Windows and Linux systems. Interlock exfiltrates data in addition to encrypting victim environments and operates a data leak site (DLS) where they claim, “We don’t just want payment; we want accountability.” The group appears to be opportunistic in nature, targeting organizations across various sectors, including healthcare, technology, and manufacturing.
 

Notable TTPs

• Interlock employs several notable tools and malware in its attack chain, including the SystemBC remote access trojan (RAT), PowerShell scripts, credential stealers, and keyloggers, before ultimately deploying and activating the ransomware encryptor binary.
• Interlock ransomware has employed Remote Desktop Protocol (RDP) for lateral movement within victim networks, along with tools like AnyDesk and PuTTY. Interlock has also been observed leveraging other tools that various threat groups commonly use, including MegaSync and Advanced Port Scanner.

 

Arete Analyst Notes

Interlock has been a consistent threat since the group emerged in September 2024, but this uptick in May was the highest volume of activity Arete has observed from the group in a single month. However, it is too early to assess whether this indicates a future trend or if the uptick is a one-off.