Interlock Ransomware: How to Defend in 2026
Interlock uses fake CAPTCHAs and stolen firewall access to double-extort victims. Here is how the group operates and how to keep them out.

Interlock does not phish you with a dodgy attachment. It gets in through a fake "verify you are human" box on a compromised website, then quietly maps your network for days before encrypting it. Understanding that entry point is most of the defense.
Quick answer
Interlock is a double-extortion ransomware group that steals your data before encrypting it, then threatens to leak it. It breaks in mainly through ClickFix fake-CAPTCHA lures and unpatched edge devices such as firewalls. To defend, block the paste-a-command trick with user training, patch internet-facing appliances fast, deploy behavior-based endpoint detection, enforce phishing-resistant MFA, and keep offline immutable backups.
Key takeaways
- Interlock uses double extortion: it exfiltrates data first, then encrypts, so backups alone do not save you from a leak.
- Its top entry points are the ClickFix fake-CAPTCHA lure and unpatched edge devices.
- It abused Cisco firewall bug CVE-2026-20131 (CVSS 10.0) for root access before public disclosure.
- Behavior-based EDR and MFA are the controls that most reliably stop it spreading.
- Immutable offline backups are your recovery floor when everything else fails.
Who Interlock is
Interlock first appeared in September 2024 and, unusually, runs without affiliates rather than as a ransomware-as-a-service operation. CISA and the FBI issued a joint advisory (AA25-203A) after the group hit businesses and critical infrastructure across North America and Europe.
The double-extortion model is the core threat. Interlock both encrypts your files and steals a copy first. Even if you restore from backup, they threaten to publish the stolen data on a Tor leak site unless you pay. Their ransom notes are deliberately vague: no dollar figure, just a unique code and a .onion address to open negotiations.
How Interlock breaks in
The group favors two entry points, and both are things you can defend directly.
Fake CAPTCHA (ClickFix). Interlock compromises legitimate websites and shows visitors a fake human-verification prompt. The prompt instructs the user to copy a command and run it, which drops a PowerShell payload. This is the same con detailed in our ClickFix fake-CAPTCHA guide, and it works because users trust the "I am not a robot" pattern.
Unpatched edge devices. In 2026, an Interlock campaign exploited CVE-2026-20131, a maximum-severity flaw in Cisco Secure Firewall Management Center, for unauthenticated remote code execution as root. They were in networks for over a month before the bug was public. Internet-facing appliances are prime targets precisely because they are hard to patch and often forgotten.

What they do once inside
After gaining a foothold, Interlock behaves like most modern ransomware crews: slow, patient, and living off legitimate tools.
| Stage | What Interlock does |
|---|---|
| Initial access | ClickFix payload or edge-device exploit |
| Reconnaissance | Maps the network and identifies backups and domain controllers |
| Persistence and control | Deploys Cobalt Strike, AnyDesk, and PuTTY |
| Credential theft | Runs Lumma Stealer, Berserk Stealer, and custom stealers |
| Exfiltration | Uses AzCopy to push stolen files to Azure blob storage |
| Impact | Encrypts systems and drops the ransom note |
Because they use real remote-access tools like AnyDesk and living-off-the-land binaries, signature-based antivirus often misses them. Detection has to focus on behavior: a workstation suddenly running Cobalt Strike, mass file access, or AzCopy uploading gigabytes at 3 a.m.
How to defend against Interlock
Map your defenses to their kill chain and you remove the paths they depend on.
- Kill the ClickFix vector with training. Teach everyone the flat rule: never paste a command from a website into the Run box, File Explorer, or a terminal.
- Patch edge devices on a tight schedule. Firewalls, VPNs, and management consoles must be patched within days of a critical advisory, and their admin interfaces should never be exposed to the open internet.
- Deploy behavior-based EDR. It watches for the actions Interlock takes rather than known malware hashes, catching Cobalt Strike and unusual data movement.
- Enforce phishing-resistant MFA. Even if credentials leak, security-key MFA blocks the reuse that enables lateral movement.
- Segment the network so a single compromised host cannot reach backups and domain controllers.
Keep a recovery floor
Because Interlock exfiltrates data, backups do not prevent a leak, but they do prevent extortion over decryption and let you recover without paying. Follow the 3-2-1-1-0 backup rule so at least one copy is offline and immutable, out of reach of an attacker who has domain admin. If the worst happens, our first-hour ransomware response guide covers containment.
What to do right now
- Brief your team today on the "never paste a website's command" rule.
- List every internet-facing appliance and confirm each is fully patched.
- Remove admin interfaces of firewalls and VPNs from public internet exposure.
- Verify your EDR is behavior-based and actually alerting, not just installed.
- Test that at least one backup copy is offline, immutable, and restorable.
Frequently asked questions
Does paying Interlock get my data back?
Even if they provide a decryptor, paying does not guarantee the stolen copy is deleted, and it funds future attacks. Law enforcement advises against paying. Recovery from clean offline backups is the goal, which is why immutable backups matter so much.
Why does antivirus miss Interlock?
Interlock relies on legitimate tools like AnyDesk, PuTTY, and Cobalt Strike, plus living-off-the-land techniques, so there is often no malicious file to flag. Behavior-based endpoint detection that watches for suspicious activity is far more effective than signature scanning.
Are home users at risk?
Interlock primarily targets businesses and critical infrastructure, but the ClickFix lure that delivers it hits everyone. Home users should still learn to never paste website-provided commands, since the same infostealers can land on personal machines.
What is the single most important control?
Patching internet-facing edge devices quickly and removing their admin panels from the public internet. Interlock's most damaging campaigns started with an unpatched appliance, and that is a gap you can close before an attack ever begins.


