In the world of cybersecurity, the Interlock ransomware group has become a serious threat, especially to the US and UK education sectors. Interlock functions as a smaller, specialized team, in contrast to many modern ransomware operations that use a Ransomware-as-a-Service (RaaS) model. These operators exhibit a high degree of sophistication and adaptability as they create and oversee their own proprietary malware to control the majority of their attack chain.

Their attacks frequently start with a MintLoader infection, which was probably started by "ClickFix" social engineering techniques. The attackers move laterally across the network after gaining initial access, which is frequently accomplished with a JavaScript implant called NodeSnakeRAT. To establish persistence and carry out comprehensive system discovery, they use living-off-the-land binaries and valid accounts.

An Interlock intrusion has serious consequences, including encryption and data theft. A sample of code that uses dynamic strings (Source: Fortinet) Before releasing their ransomware, the group has been seen exfiltrating large volumes of data to cloud storage using programs like AZcopy. Even if backups are available, they will still have leverage over their victims thanks to this double-extortion strategy.

After gaining traction, the group uses a special set of tools to turn off security measures, according to Fortinet analysts. As a result, their ransomware payloads can run unhindered on both Windows endpoints and Nutanix hypervisor environments. The group poses a constant threat to organizations worldwide due to their capacity to change tactics and take advantage of fresh weaknesses, necessitating increased awareness and effective defenses.

An essential part of Interlock's toolkit is a specially created evasion tool called "Hotta Killer," which is intended to disable antivirus (AV) and Endpoint Detection and Response (EDR) software. A complex "Bring Your Own Vulnerable Driver" (BYOVD) method is used by this tool. It takes advantage of a zero-day vulnerability in GameDriverx64.sys (CVE-2025-61155), a genuine gaming anti-cheat driver.

The malware can run privileged commands in the kernel space by dropping a renamed version of this vulnerable driver, UpdateCheckerX64.sys. The EDR bypass tool "Hotta Killer" is executed using PowerShell commands (Source: Fortinet). Implemented as a DLL file called polers.dll, the "Hotta Killer" tool is injected into system processes to conceal their activity. It establishes a symbolic connection to interact with the malicious driver once it is operational.

It primarily targets security software-related processes, like those that fit the pattern "Forti*.exe." The malware effectively blinds the organization's defenses before encryption starts by forcing the kernel to terminate these security tools by passing their Process IDs to the driver. Organizations should strictly prohibit the use of unauthorized remote access software and limit workstation-to-workstation SMB and RDP connections in order to lessen these risks.

Blocking outgoing PowerShell network connections can also stop malicious payloads from being downloaded in the first place. To receive more real-time updates, add CSN as a preferred source in Google, as well as LinkedIn and X.