{"id":28862,"date":"2025-05-16T21:45:14","date_gmt":"2025-05-16T16:15:14","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/interlock-ransomware-clickfix-attack\/28862\/"},"modified":"2025-05-16T21:45:39","modified_gmt":"2025-05-16T16:15:39","slug":"interlock-ransomware-clickfix-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/interlock-ransomware-clickfix-attack\/28862\/","title":{"rendered":"How Interlock attacks IT specialists with fake CAPTCHAs and ClickFix"},"content":{"rendered":"

The ransomware group Interlock has started using the ClickFix technique<\/a> to gain access to its victims\u2019 infrastructure. In a recent post, we discussed the general concept of ClickFix<\/a>. Today we\u2019ll look at a specific case where a ransomware group has put this tactic into action. Cybersecurity researchers have discovered that Interlock is using a fake CAPTCHA imitating a Cloudflare-protected site on a page posing as the website of Advanced IP Scanner \u2014 a popular free network scanning tool. This suggests the attack is aimed at IT professionals working in organizations of potential interest to the group.<\/p>\n

How Interlock is using ClickFix to spread malware<\/h2>\n

\nThe Interlock attackers lure victims to a webpage with an URL mimicking that of the official Advanced IP Scanner site. The researchers found multiple instances of this same page hosted at different addresses across the web.<\/p>\n

When the user clicks the link, they see a message asking them to complete a CAPTCHA, seemingly provided by Cloudflare. The message states that Cloudflare helps companies \u201cregain control of their technology\u201d. This legitimate-looking marketing text is in fact copied from Cloudflare\u2019s own What is Cloudflare?<\/a> webpage. It\u2019s followed by instructions to press Win + R<\/em>, then Ctrl + V<\/em>, and finally Enter<\/em>. Next come two buttons: Fix it<\/em> and Retry<\/em>.<\/p>\n

Finally, a message claims that the resource the victim is trying to access needs to verify the connection\u2019s security.<\/p>\n

In reality, when the victim clicks Fix it<\/em>, a malicious PowerShell command is copied to the clipboard. The user then unknowingly opens the command console with Win + R<\/em> and pastes the command with Ctrl + V<\/em>. Pressing Enter<\/em> then executes the malicious command.<\/p>\n

Executing the command downloads and launches a 36-megabyte fake PyInstaller installer file. And to distract the victim, a browser window with the real Advanced IP Scanner website opens.<\/p>\n

From data collection to extortion: the stages of an Interlock attack<\/h2>\n

\nOnce the fake installer is launched, a PowerShell script is activated that collects system information and sends it to a C2 server. In response, the server can either send the ooff<\/em> command to terminate the script, or deliver additional malware. In this case the attackers used Interlock RAT (remote access Trojan) as the payload. The malware is saved in the %AppData%<\/em> folder and runs automatically, allowing the attackers to access confidential data and establish persistence in the system.<\/p>\n

After initial access, the Interlock operators try to use previously stolen or leaked credentials and the Remote Desktop Protocol (RDP)<\/a> for lateral movement. Their primary target is the domain controller (DC)<\/a> \u2014 gaining access to it allows the attackers to spread malware across the infrastructure.<\/p>\n

The final step before launching the ransomware is to steal the victim organization\u2019s valuable data. These files are uploaded to Azure Blob Storage controlled by the attackers. After exfiltrating the sensitive data, the Interlock group publishes it on a new Tor domain. A link to this domain is then provided in a new post on the group\u2019s .onion<\/em> site.<\/p>\n

\"Ransom<\/a>

Example of a ransom note sent by the Interlock ransomware group. Source<\/a><\/p><\/div>\n

How to protect against ClickFix attacks<\/h2>\n

\nClickFix and other similar techniques rely heavily on social engineering, so the best protection is a systematic approach focused primarily on raising employee awareness. To help with this, we recommend our Kaspersky Automated Security Awareness Platform<\/a>, which automates training programs for staff.<\/p>\n

In addition, to protect against ransomware attacks, we recommend the following:\n<\/p>\n