Interlock is one of the more active ransomware operations in 2026, responsible for high-impact attacks including the Kettering Health breach that shut down thousands of procedures. What distinguishes Interlock in the current landscape is its delivery mechanism: ClickFix, a social engineering technique that bypasses email gateway controls entirely by tricking victims into self-executing malicious commands via fake CAPTCHA or browser error prompts.
This playbook maps the Interlock kill chain stage by stage and provides detection logic at each point.
Stage 1: ClickFix Initial Access
What happens: The victim encounters a fake CAPTCHA or browser update prompt, either through a malvertising redirect or a compromised website. The page instructs the victim to open the Run dialog (Win+R) and paste a PowerShell command. The command downloads and executes the initial payload — typically a Remcos RAT or DanaBot loader.
Why it bypasses controls: No malicious email, no attachment, no link to a known-bad domain. The PowerShell command is typed by the victim from the clipboard.
Detection: RunMRU registry key modified after clipboard paste
title: Suspicious RunMRU PowerShell Execution via Run Dialog
id: 8b3a1c44-e921-4f62-9d21-b71a4e29c113
status: experimental
description: Detects PowerShell execution via the Run dialog (RunMRU), consistent with ClickFix clipboard injection
logsource:
category: registry_event
product: windows
detection:
selection:
EventType: SetValue
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
Details|contains:
- 'powershell'
- 'cmd.exe'
- 'mshta'
- 'wscript'
condition: selection
falsepositives:
- Legitimate IT admin use of the Run dialog
level: medium
tags:
- attack.initial_access
- attack.t1059.001
KQL (Microsoft Defender / Sentinel)
DeviceProcessEvents
| where InitiatingProcessFileName == "explorer.exe"
| where FileName in ("powershell.exe", "cmd.exe", "mshta.exe", "wscript.exe")
| where ProcessCommandLine has_any ("IEX", "Invoke-Expression", "DownloadString", "Net.WebClient", "FromBase64String")
| where ProcessCommandLine has_any ("-enc", "-EncodedCommand", "bypass", "hidden")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
Stage 2: Remcos RAT or DanaBot Loader Execution
What happens: The downloaded payload establishes C2 connectivity. Remcos variants used by Interlock communicate over TCP with certificate pinning. DanaBot drops additional modules and begins credential harvesting.
Detection: Suspicious outbound connection from PowerShell child process
title: Suspicious Network Connection from PowerShell Child Process
id: 3f7c9a28-4d11-41a2-85bf-73ae9b4d3221
status: experimental
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\powershell.exe'
DestinationPort|gt: 1024
filter_known:
DestinationIp|startswith:
- '10.'
- '192.168.'
- '172.'
condition: selection and not filter_known
falsepositives:
- PowerShell-based management tools with legitimate external connectivity
level: high
Stage 3: Credential Theft and LSASS Access
What happens: Interlock operators dump LSASS using custom tooling or commodity tools (Mimikatz, HandleKatz). Domain credentials are harvested to enable lateral movement.
Detection: LSASS memory access by unusual process
title: Suspicious LSASS Process Access
id: c9ab3d21-89f2-4e11-a314-59b21a4c8dfe
status: experimental
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1010'
- '0x1410'
- '0x147a'
- '0x1f1fff'
filter_legit:
SourceImage|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Program Files\'
condition: selection and not filter_legit
falsepositives:
- AV/EDR products accessing LSASS for monitoring
level: critical
tags:
- attack.credential_access
- attack.t1003.001
Stage 4: Lateral Movement via RDP and PsExec
What happens: With valid credentials, Interlock affiliates move laterally via RDP and PsExec. They target domain controllers, backup servers (specifically Veeam instances), and file servers.
KQL: RDP lateral movement from unusual source
DeviceLogonEvents
| where LogonType == "RemoteInteractive"
| where ActionType == "LogonSuccess"
| join kind=leftouter (
DeviceNetworkEvents
| where RemotePort == 3389
| project DeviceName, RemoteIP
) on DeviceName
| where AccountDomain != ""
| summarize RDPTargets = dcount(DeviceName) by AccountName, bin(Timestamp, 1h)
| where RDPTargets > 3
| order by RDPTargets desc
Detection: PsExec execution with domain admin account
title: PsExec Lateral Movement with Elevated Account
id: 7a2c4b18-d31f-4a99-87ae-21b47c9d5f82
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\psexec.exe'
- '\psexec64.exe'
- '\PsExec.exe'
CommandLine|contains:
- '-accepteula'
- '\\\\*'
condition: selection
level: high
tags:
- attack.lateral_movement
- attack.t1021.002
Stage 5: Data Exfiltration via Rclone or MEGA
What happens: Before encryption, Interlock exfiltrates data to cloud storage (MEGA, rclone with remote configuration pointing to attacker-controlled storage). This enables double extortion.
Detection: Rclone execution with suspicious arguments
title: Rclone Data Exfiltration Activity
id: 1e8a7f34-92c5-4d88-b3fa-67e91d2c5a99
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\rclone.exe'
CommandLine|contains:
- 'copy'
- 'sync'
- 'move'
remote:
CommandLine|contains:
- ':/'
- 'mega'
- 'onedrive'
- 'dropbox'
- 'ftp'
condition: selection and remote
falsepositives:
- Legitimate IT backup operations using Rclone
level: high
tags:
- attack.exfiltration
- attack.t1567.002
KQL: Large outbound transfer to cloud storage
DeviceNetworkEvents
| where RemotePort in (443, 80)
| where RemoteUrl has_any ("mega.nz", "mega.co.nz", "api.mega.co.nz")
or RemoteUrl has_any ("rclone", "onedrive.live.com")
| where InitiatingProcessFileName !in ("browser.exe", "chrome.exe", "firefox.exe", "msedge.exe")
| summarize TotalBytes = sum(SentBytes) by DeviceName, AccountName, RemoteUrl, bin(Timestamp, 1h)
| where TotalBytes > 100000000
| order by TotalBytes desc
Stage 6: ESXi and Backup Targeting
What happens: Interlock specifically targets VMware ESXi hypervisors and Veeam backup infrastructure to maximise impact and eliminate recovery options. The Linux ESXi encryptor is deployed via SSH after credentials are obtained.
Detection: Veeam configuration file access from unexpected process
title: Veeam Backup Database or Config Access by Suspicious Process
id: 4b9e2c71-8f43-4a27-93d1-7ae52b3d9c01
status: experimental
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\VeeamBackup'
- '\Veeam\Backup'
- 'VeeamBackup.config'
Image|not|startswith:
- 'C:\Program Files\Veeam'
condition: selection
level: critical
tags:
- attack.impact
- attack.t1490
Stage 7: Encryptor Deployment
What happens: The Interlock Windows encryptor appends .interlock to encrypted files and drops a ransom note !README!.txt. The Linux encryptor targets ESXi flat VMDK files.
Detection: Mass file rename event (encryption indicator)
DeviceFileEvents
| where ActionType == "FileRenamed"
| where FileName endswith ".interlock"
or FileName endswith ".locked"
or FileName endswith ".enc"
| summarize RenameCount = count() by DeviceName, AccountName, bin(Timestamp, 1m)
| where RenameCount > 100
| order by RenameCount desc
Hunting Summary: Key IOCs for Interlock (as of July 2026)
| Indicator | Type | Stage |
|---|---|---|
.interlock file extension | File | Encryption |
!README!.txt ransom note | File | Encryption |
RunMRU registry write from explorer.exe with PowerShell content | Registry | Initial Access |
LSASS access with 0x1010/0x1410 grant by non-system process | Process Access | Credential Theft |
Outbound connection to mega.nz from non-browser process | Network | Exfiltration |
| ESXi SSH authentication from Windows system account | Network | Lateral Movement |
Recommended Response Actions
If you identify Stage 1 or 2 activity: isolate the affected endpoint immediately and block outbound PowerShell network connections. Check clipboard paste history and browser history for the source of the ClickFix prompt.
If you identify Stage 4 or 5 activity: the operator already has valid credentials. Treat any recently accessed or newly-created accounts as compromised. Disable all accounts touched on affected systems and initiate a broader AD investigation before re-enabling.
If you identify Stage 7: move to incident response. Check whether Veeam backups are intact — Interlock specifically targets these. If offline backups exist, they are likely your fastest recovery path.