EXECUTIVE SUMMARY
The Interlock and Rhysida groups are active ransomware operators that have been observed delivering tailored malware families such as NodeSnake, InterlockRAT, and Supper. Their campaigns focus primarily on organizations in the United States, with notable hits in the healthcare, financial services, and manufacturing sectors. Both groups appear to act independently—Interlock as a boutique operator and Rhysida as a ransomware‐as‐a‐service provider—yet they share overlapping tools and infrastructure. Their primary objective is financial gain through encryption of critical data, often accompanied by data theft to increase pressure on victims.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The Interlock and Rhysida groups are active ransomware operators that have been observed delivering tailored malware families such as NodeSnake, InterlockRAT, and Supper. Their campaigns focus primarily on organizations in the United States, with notable hits in the healthcare, financial services, and manufacturing sectors. Both groups appear to act independently—Interlock as a boutique operator and Rhysida as a ransomware‐as‐a‐service provider—yet they share overlapping tools and infrastructure. Their primary objective is financial gain through encryption of critical data, often accompanied by data theft to increase pressure on victims.[emaillocker id="1283"]
Initial access is typically achieved through compromised advertising networks or fake update pages that deliver a lightweight downloader such as NodeSnake or the JunkFiction loader. Once executed, the downloader contacts a remote server, retrieves a multi‐stage backdoor—often InterlockRAT or the Supper client—and establishes a persistent reverse‐shell over encrypted channels. The backdoor then performs lateral movement using legitimate credentials, deploys the ransomware encryptor on both Windows and Linux endpoints, and exfiltrates selected files before encryption. Command‐and‐control traffic is disguised as normal web traffic, allowing the actors to retain control while the encryption process runs.
The threat is significant because the malware chain blends custom crypters with legitimate runtimes, making behavioral detection difficult and complicating forensic recovery. Victims often discover encryption only after data has been exfiltrated, reducing the usefulness of backups alone. Organizations should harden endpoint defenses, enforce multi‐factor authentication, and apply security patches promptly to reduce exploit surface. Continuous monitoring for anomalous outbound connections and for the presence of unknown downloader binaries can reveal early compromise. Maintaining offline, immutable backups and rehearsing a rapid restore plan remain essential to limit downtime and ransom exposure.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Initial Access | T1189 | Drive-by Compromise | — |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1070.004 | Indicator Removal | File Deletion |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1090.003 | Proxy | Multi-hop Proxy |
| Lateral Movement | T1021 | Remote Services | — |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
reports contain further technical details:
https://cybersecuritynews.com/interlock-and-rhysida-ransomware-operations/
https://www.ibm.com/think/x-force/interlock-and-rhysida-within-the-ransonware-ecosystem