# Interlock Ransomware Gang Pushes Fake IT Tools in ClickFix Attacks
The Interlock ransomware gang has taken its malicious tactics to the next level by utilizing fake IT tools in a series of ClickFix attacks, aimed at breaching corporate networks and deploying file-encrypting malware on devices.
## The Rise of ClickFix Attacks
ClickFix is a social engineering tactic where victims are tricked into executing dangerous PowerShell commands on their systems under the guise of fixing an error or verifying themselves. This tactic has been linked to ransomware infections in the past, but confirmation about Interlock marks an increasing trend among threat actors adopting this tactic.
## The Interlock Ransomware Operation
Launched in late September 2024, Interlock targets FreeBSD servers and Windows systems, with a data leak portal on the dark web used to increase pressure on victims. Demands range from hundreds of thousands of dollars to millions. Unlike other ransomware-as-a-service operations, Interlock maintains its own infrastructure, using fake browser and VPN client updates to install malware and breach networks.
## The ClickFix Variant
In January 2025, Sekoia researchers detected the Interlock ransomware gang's use of ClickFix attacks for the first time. Four different URLs were used to host fake CAPTCHA prompts that told visitors to execute a command on their computer to verify themselves and download a promoted tool. Only the site impersonating Advanced IP Scanner, a popular IP scanning tool commonly used by IT staff, led to downloading a malicious installer.
## How ClickFix Attacks Work
When a victim clicks the 'Fix it' button, it copies the malicious PowerShell command to the clipboard. If executed in a command prompt or Windows Run dialog, it downloads a 36MB PyInstaller payload. At the same time, the legitimate AdvancedIPScanner website opens in a browser window to reduce suspicion.
## Payload and Exfiltration
The malicious payload installs a legitimate copy of the software it pretends to be and simultaneously executes an embedded PowerShell script that runs in a hidden window. This script registers a Run key in Windows Registry for persistence and then collects and exfiltrates system information, including OS version, user privilege level, running processes, and available drives.
## Sekoia's Observations
Sekoia has observed the command and control (C2) responding with various payloads, including LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT. The latter is a simple trojan that can be dynamically configured, supporting file exfiltration, shell command execution, and running malicious DLLs.
## Lateral Movement and Data Exfiltration
After the initial compromise and RAT deployment, Interlock operators used stolen credentials to move laterally via RDP, while Sekoia also saw PuTTY, AnyDesk, and LogMeIn used in some attacks. The last step before ransomware execution is data exfiltration, with stolen files uploaded to attacker-controlled Azure Blobs.
## Windows Variant
The Windows variant of Interlock is set (via a scheduled task) to run daily at 08:00 PM, but thanks to file extension-based filtering, this doesn't cause multiple layers of encryption. Instead, it serves as a redundancy measure.
## Evolving Ransom Notes
Sekoia also reports that the ransom note has evolved, with the latest versions focusing more on the legal aspect of the data breach and the regulatory consequences if stolen data is made public.
## ClickFix Attacks: A Growing Concern
ClickFix attacks have now been adopted by a wide range of threat actors, including other ransomware gangs and North Korean hackers. Last month, Sekoia discovered that the infamous Lazarus North Korean hacking group was using ClickFix attacks targeting job seekers in the cryptocurrency industry.