Interlock Ransomware Switches to FileFix for Stealthy RAT Delivery
The Interlock ransomware operation has adopted a new delivery mechanism known as FileFix, using it to deploy remote access trojans (RATs) on victim systems through deceptive Windows UI interactions. The shift marks an evolution in the group’s tactics and reflects growing use of stealthier social engineering methods across ransomware campaigns.
Researchers from The DFIR Report and Proofpoint began observing the new behavior in recent campaigns. The technique uses trusted system interfaces—like File Explorer—to execute commands without triggering standard security warnings.
From ClickFix to FileFix: A Stealthier Exploitation Chain
Interlock ransomware had previously relied on the ClickFix method, often prompting users to complete fake CAPTCHA verifications on compromised websites and paste clipboard content into the Windows Run dialog. This trick silently ran PowerShell scripts that downloaded and launched RAT payloads, including Node.js- and PHP-based variants of Interlock’s malware.
Since early July, however, the group has transitioned to FileFix, a technique created by security researcher mr.d0x. This variation leverages the File Explorer address bar, where victims are lured into pasting what appears to be a file path but is actually a disguised PowerShell command.
The command resembles a file path due to comment syntax, but in reality, it initiates a download and execution of the Interlock PHP RAT from trycloudflare.com.
The attack path is both simple and deceptive, exploiting user trust in standard Windows features while bypassing visible warnings or prompts.
Post-Infection Behavior and Capabilities
Once deployed, the Interlock RAT executes a range of actions to establish control and gather intelligence:
- Runs PowerShell commands to collect system and network data
- Exfiltrates information in structured JSON format
- Performs Active Directory enumeration
- Checks for backups and lateral movement options
- Establishes persistence using Windows Registry
- Connects to a C2 server for further instructions or payload delivery
Researchers also reported signs of interactive exploration within victim environments, suggesting manual operator involvement during post-compromise stages.
Interlock’s Growing Activity and Notable Targets
First seen in September 2024, the Interlock ransomware group has claimed attacks on high-profile organizations including Texas Tech University, DaVita, and Kettering Health. Its transition from ClickFix to FileFix reflects a broader trend among threat actors embracing social engineering and native OS tools to reduce detection.
The use of FileFix in active cyberattacks has now been publicly confirmed for the first time, and security researchers believe more threat groups may adopt the method due to its effectiveness and low technical barriers.
Rising Risk for Enterprise Environments
The current wave of FileFix-enabled attacks raises concerns about user interface exploitation in enterprise settings. The combination of trusted system elements and user-driven execution allows attackers to sidestep traditional security tools, especially in environments that rely heavily on user interaction with Windows Explorer.
For organizations, the emergence of this method underlines the need for:
- Security awareness around UI-based attacks
- Blocking or monitoring PowerShell activity
- Restricting clipboard-based execution paths
- Disabling Windows Script Host or HTA files where possible
As the Interlock group continues refining its techniques, FileFix is likely to become another staple in ransomware operators’ toolkits—one that leverages human error as effectively as code.
