A routine browser verification prompt appears on an employee's screen. A few clicks later, an attacker has established persistence inside the environment. Days later, sensitive data has been exfiltrated, security controls have been bypassed, and ransomware is deployed across critical systems.
This is the reality of modern ransomware operations.
Interlock, a ransomware group first identified in 2024, demonstrates how threat actors are leveraging artificial intelligence (AI) beyond phishing and social engineering. Researchers have linked Interlock-affiliated activity to malware that exhibits characteristics commonly associated with AI-assisted development, highlighting how attackers can accelerate malware creation, generate variants faster, and scale operations more efficiently.
For defenders, the lesson is clear: ransomware is no longer just an encryption problem. It is a cyber resilience challenge that spans identity, infrastructure, data protection, and recovery.
Why Interlock Matters
Interlock operates as a double-extortion ransomware group, stealing data before encrypting systems. Victims face both operational disruption and the threat of public data exposure.
The group has been observed targeting:
- Windows servers and endpoints
- VMware and virtualized environments
- File shares and enterprise storage
- Identity infrastructure and Active Directory
- Business-critical applications and operational workloads
Like many modern ransomware operators, Interlock does not rely on a single exploit. Instead, it combines social engineering, credential theft, persistence mechanisms, data exfiltration, and encryption into a coordinated attack chain.
What makes Interlock noteworthy is its apparent use of AI-assisted malware development, allowing operators to produce and modify tooling more rapidly than traditional development cycles.
AI is not replacing ransomware operators. It is making them faster, more scalable, and harder to defend against.
Understanding the Interlock Attack Chain
Interlock runs deliberate, multi-stage intrusions. The encryption event is the final act of a much longer play. Understanding each phase gives defenders critical windows for detection and disruption.
Phase | Activity | Description | Severity |
01 | Initial Access | ClickFix, fake CAPTCHAs, fake browser updates, compromised sites | CRITICAL |
02 | PowerShell Execution | Lightweight downloader retrieves secondary payloads via C2 | ELEVATED |
03 | Persistence via AI-Assisted Malware | Interlock RAT → Backdoor established for long-term access | CRITICAL |
04 | Reconnaissance | Active Directory mapping, user/group enumeration, backup discovery | ELEVATED |
05 | Credential Theft & Privilege Escalation | LSASS dumping, service abuse, administrative account takeover | CRITICAL |
06 | Data Exfiltration | Financial records, IP, customer data staged and exfiltrated | ELEVATED |
07 | Defense Evasion | EDR, AV, backup agents, and monitoring tools suppressed | CRITICAL |
08 | Ransomware + Double Extortion | .interlock extension applied; ransom note dropped; data leak threatened | CRITICAL |
AI Changes the Economics of Attacks
According to IBM, researchers linked an Interlock-affiliated threat actor, Hive0163, to a backdoor called Slopoly, a persistence and command-and-control (C2) tool that shows signs of AI-assisted development. Characteristics such as consistent coding patterns, modular design, and rapid variant creation suggest attackers may be using AI to accelerate malware development.
The significance is not the malware itself, but what it represents. AI enables threat actors to create and modify tooling faster, lowering development barriers while adapting more quickly to defensive controls.
Slopoly: Persistence Before Ransomware
Slopoly is not the ransomware payload. It acts as a backdoor that helps attackers maintain access after the initial compromise.
A typical attack sequence involves:
ClickFix social engineering triggering PowerShell execution
PowerShell retrieving the Interlock RAT
The RAT deploying the Slopoly backdoor
Slopoly providing persistent access for reconnaissance, credential theft, and data exfiltration
For defenders, this highlights an important shift: ransomware is often the final stage of an attack. Detecting persistence and post-compromise activity provides a critical opportunity to stop attackers before encryption begins.
Traditional Ransomware vs. Interlock-Style Operations
Ransomware groups have evolved beyond using AI solely for crafting phishing emails. Interlock exemplifies this shift, integrating and applying AI throughout the attack lifecycle.
Traditional Ransomware | Interlock-Style Operations |
Human-developed malware, long cycles | AI-assisted malware development |
Slow variant creation | Rapid variant generation |
Higher skill requirements | Lower barrier to entry |
Limited customization | Dynamic payload evolution |
AI used only for phishing content | AI applied across the full attack lifecycle |
Indicators of Attack (IOAs)
Interlock activity often generates detectable signals well before ransomware deployment.
ClickFix & Initial Access
| Reconnaissance
|
Credential Access
| Pre-Ransomware Signals
|
Known Interlock Ransomware Artifacts
Common Ransom Notes
| Common File Extensions
|
The presence of these ransom notes or file extensions is a strong indicator that Interlock ransomware has reached the encryption stage of the attack.
MITRE ATT&CK Mapping
The following table maps observed Interlock behaviors to MITRE ATT&CK techniques.
Phase | Technique | ATT&CK ID |
Initial Access | Phishing , User Execution | T1566, T1204 |
Execution | Command & Scripting Interpreter (PowerShell) | T1059.001 |
Persistence | Scheduled Tasks / Jobs | T1053 |
Discovery | Account / System / Network (Discovery) | T1087, T1082, T1046 |
Credential Access | Credential Dumping | T1003 |
Exfiltration | Exfiltration Over C2 Channel | T1041 |
Defense Evasion | Impair Defenses | T1562 |
Impact | Data Encrypted for Impact | T1486 |
Bottom Line for Security Leaders
AI is fundamentally altering the scale and cost of cybercrime, which is exemplified by recent Interlock exploits:
- Attackers can develop malware faster and create variants more frequently
- Operations scale more efficiently with lower technical barriers
- The ransomware payload may be conventional, but the surrounding ecosystem is not
The future of ransomware is not fully autonomous AI. It is human-operated ransomware that’s accelerated by AI. The defenders that recognize this shift today will be better positioned to withstand the threats of tomorrow.
Organizations that focus solely on ransomware detection are already too late in the attack chain. The organizations most likely to withstand Interlock-style attacks are those that detect activity during the reconnaissance, persistence, and credential theft phases before encryption ever begins.
Ready to Strengthen Cyber Resilience?
See how Druva can help your organization stay resilient and recover against the ransomware attacks of tomorrow. Learn more.