Interlock is one of the more active ransomware operations in 2026, responsible for high-impact attacks including the Kettering Health breach that shut down thousands of procedures. What distinguishes Interlock in the current landscape is its delivery mechanism: ClickFix, a social engineering technique that bypasses email gateway controls entirely by tricking victims into self-executing malicious commands via fake CAPTCHA or browser error prompts.

This playbook maps the Interlock kill chain stage by stage and provides detection logic at each point.

Stage 1: ClickFix Initial Access

What happens: The victim encounters a fake CAPTCHA or browser update prompt, either through a malvertising redirect or a compromised website. The page instructs the victim to open the Run dialog (Win+R) and paste a PowerShell command. The command downloads and executes the initial payload — typically a Remcos RAT or DanaBot loader.

Why it bypasses controls: No malicious email, no attachment, no link to a known-bad domain. The PowerShell command is typed by the victim from the clipboard.

Detection: RunMRU registry key modified after clipboard paste

title: Suspicious RunMRU PowerShell Execution via Run Dialog
id: 8b3a1c44-e921-4f62-9d21-b71a4e29c113
status: experimental
description: Detects PowerShell execution via the Run dialog (RunMRU), consistent with ClickFix clipboard injection
logsource:
  category: registry_event
  product: windows
detection:
  selection:
    EventType: SetValue
    TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
    Details|contains:
      - 'powershell'
      - 'cmd.exe'
      - 'mshta'
      - 'wscript'
  condition: selection
falsepositives:
  - Legitimate IT admin use of the Run dialog
level: medium
tags:
  - attack.initial_access
  - attack.t1059.001

KQL (Microsoft Defender / Sentinel)

DeviceProcessEvents
| where InitiatingProcessFileName == "explorer.exe"
| where FileName in ("powershell.exe", "cmd.exe", "mshta.exe", "wscript.exe")
| where ProcessCommandLine has_any ("IEX", "Invoke-Expression", "DownloadString", "Net.WebClient", "FromBase64String")
| where ProcessCommandLine has_any ("-enc", "-EncodedCommand", "bypass", "hidden")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

Stage 2: Remcos RAT or DanaBot Loader Execution

What happens: The downloaded payload establishes C2 connectivity. Remcos variants used by Interlock communicate over TCP with certificate pinning. DanaBot drops additional modules and begins credential harvesting.

Detection: Suspicious outbound connection from PowerShell child process

title: Suspicious Network Connection from PowerShell Child Process
id: 3f7c9a28-4d11-41a2-85bf-73ae9b4d3221
status: experimental
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    Image|endswith: '\powershell.exe'
    DestinationPort|gt: 1024
  filter_known:
    DestinationIp|startswith:
      - '10.'
      - '192.168.'
      - '172.'
  condition: selection and not filter_known
falsepositives:
  - PowerShell-based management tools with legitimate external connectivity
level: high

Stage 3: Credential Theft and LSASS Access

What happens: Interlock operators dump LSASS using custom tooling or commodity tools (Mimikatz, HandleKatz). Domain credentials are harvested to enable lateral movement.

Detection: LSASS memory access by unusual process

title: Suspicious LSASS Process Access
id: c9ab3d21-89f2-4e11-a314-59b21a4c8dfe
status: experimental
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|endswith: '\lsass.exe'
    GrantedAccess|contains:
      - '0x1010'
      - '0x1410'
      - '0x147a'
      - '0x1f1fff'
  filter_legit:
    SourceImage|startswith:
      - 'C:\Windows\System32\'
      - 'C:\Windows\SysWOW64\'
      - 'C:\Program Files\'
  condition: selection and not filter_legit
falsepositives:
  - AV/EDR products accessing LSASS for monitoring
level: critical
tags:
  - attack.credential_access
  - attack.t1003.001

Stage 4: Lateral Movement via RDP and PsExec

What happens: With valid credentials, Interlock affiliates move laterally via RDP and PsExec. They target domain controllers, backup servers (specifically Veeam instances), and file servers.

KQL: RDP lateral movement from unusual source

DeviceLogonEvents
| where LogonType == "RemoteInteractive"
| where ActionType == "LogonSuccess"
| join kind=leftouter (
    DeviceNetworkEvents
    | where RemotePort == 3389
    | project DeviceName, RemoteIP
) on DeviceName
| where AccountDomain != ""
| summarize RDPTargets = dcount(DeviceName) by AccountName, bin(Timestamp, 1h)
| where RDPTargets > 3
| order by RDPTargets desc

Detection: PsExec execution with domain admin account

title: PsExec Lateral Movement with Elevated Account
id: 7a2c4b18-d31f-4a99-87ae-21b47c9d5f82
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\psexec.exe'
      - '\psexec64.exe'
      - '\PsExec.exe'
    CommandLine|contains:
      - '-accepteula'
      - '\\\\*'
  condition: selection
level: high
tags:
  - attack.lateral_movement
  - attack.t1021.002

Stage 5: Data Exfiltration via Rclone or MEGA

What happens: Before encryption, Interlock exfiltrates data to cloud storage (MEGA, rclone with remote configuration pointing to attacker-controlled storage). This enables double extortion.

Detection: Rclone execution with suspicious arguments

title: Rclone Data Exfiltration Activity
id: 1e8a7f34-92c5-4d88-b3fa-67e91d2c5a99
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\rclone.exe'
    CommandLine|contains:
      - 'copy'
      - 'sync'
      - 'move'
  remote:
    CommandLine|contains:
      - ':/'
      - 'mega'
      - 'onedrive'
      - 'dropbox'
      - 'ftp'
  condition: selection and remote
falsepositives:
  - Legitimate IT backup operations using Rclone
level: high
tags:
  - attack.exfiltration
  - attack.t1567.002

KQL: Large outbound transfer to cloud storage

DeviceNetworkEvents
| where RemotePort in (443, 80)
| where RemoteUrl has_any ("mega.nz", "mega.co.nz", "api.mega.co.nz")
   or RemoteUrl has_any ("rclone", "onedrive.live.com")
| where InitiatingProcessFileName !in ("browser.exe", "chrome.exe", "firefox.exe", "msedge.exe")
| summarize TotalBytes = sum(SentBytes) by DeviceName, AccountName, RemoteUrl, bin(Timestamp, 1h)
| where TotalBytes > 100000000
| order by TotalBytes desc

Stage 6: ESXi and Backup Targeting

What happens: Interlock specifically targets VMware ESXi hypervisors and Veeam backup infrastructure to maximise impact and eliminate recovery options. The Linux ESXi encryptor is deployed via SSH after credentials are obtained.

Detection: Veeam configuration file access from unexpected process

title: Veeam Backup Database or Config Access by Suspicious Process
id: 4b9e2c71-8f43-4a27-93d1-7ae52b3d9c01
status: experimental
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\VeeamBackup'
      - '\Veeam\Backup'
      - 'VeeamBackup.config'
    Image|not|startswith:
      - 'C:\Program Files\Veeam'
  condition: selection
level: critical
tags:
  - attack.impact
  - attack.t1490

Stage 7: Encryptor Deployment

What happens: The Interlock Windows encryptor appends .interlock to encrypted files and drops a ransom note !README!.txt. The Linux encryptor targets ESXi flat VMDK files.

Detection: Mass file rename event (encryption indicator)

DeviceFileEvents
| where ActionType == "FileRenamed"
| where FileName endswith ".interlock"
    or FileName endswith ".locked"
    or FileName endswith ".enc"
| summarize RenameCount = count() by DeviceName, AccountName, bin(Timestamp, 1m)
| where RenameCount > 100
| order by RenameCount desc

Hunting Summary: Key IOCs for Interlock (as of July 2026)

IndicatorTypeStage
.interlock file extensionFileEncryption
!README!.txt ransom noteFileEncryption
RunMRU registry write from explorer.exe with PowerShell contentRegistryInitial Access
LSASS access with 0x1010/0x1410 grant by non-system processProcess AccessCredential Theft
Outbound connection to mega.nz from non-browser processNetworkExfiltration
ESXi SSH authentication from Windows system accountNetworkLateral Movement

If you identify Stage 1 or 2 activity: isolate the affected endpoint immediately and block outbound PowerShell network connections. Check clipboard paste history and browser history for the source of the ClickFix prompt.

If you identify Stage 4 or 5 activity: the operator already has valid credentials. Treat any recently accessed or newly-created accounts as compromised. Disable all accounts touched on affected systems and initiate a broader AD investigation before re-enabling.

If you identify Stage 7: move to incident response. Check whether Veeam backups are intact — Interlock specifically targets these. If offline backups exist, they are likely your fastest recovery path.