New FBI Warning — Windows And Linux Users Must Apply 2FA Now
FBI warns of Interlock threat – enable 2FA now.
Update, July 28, 2025: This story, originally published on July 27, has been updated with further comments and mitigation advice following the FBI warning for Windows and Linux users to enable 2FA protections in response to the Interlock ransomware threat.
There are some weeks that I almost feel like I have joined the Federal Bureau of Investigation, given the number of alerts that I am exposed to. Within just the last few days, I have shared a warning to 10 million Android users to disconnect their devices, another for all smartphone users as phantom hacker attacks continue, and now comes the FBI recommendation for Windows and Linux users to urgently enable two-factor authentication to complete the cyber-trilogy. Here’s everything you need to know when it comes to mitigating the Interlock ransomware threat.
FBI And CISA Issue Joint Interlock Ransomware Warning
A relatively new ransomware threat is, according to the Cybersecurity and Infrastructure Security Agency, on the rise and targeting both businesses and critical infrastructure providers with double-extortion attacks. A July 22 joint cybersecurity advisory, issued alongside the FBI under alert code aa25-203a, was prompted by ongoing FBI investigations that have identified both indicators of compromise and the tactics, techniques and procedures used by the attackers. “The FBI is aware of Interlock ransomware encryptors designed for both Windows and Linux operating systems,” the alert confirmed.
Although I would heartily recommend reading the full alert for all the technical details, the attacks can be summed up as employing drive-by-downloads and ClickFix social engineering to gain initial access. Once the system has been breached, the attackers then deployed credential stealers and keyloggers to obtain account credentials and execute the necessary lateral movement and privilege escalation required to deploy the ransomware and exfiltrate data.
Cybersecurity Experts Throw Their Weight Behind The Latest FBI Ransomware Warning
It’s not just the FBI and CISA that have raised the red flag as far as the Interlock ransomware threat is concerned; the cybersecurity industry has also made it clear how dangerous this particular campaign actually is.
“Interlock initially leveraged ClickFix as their primary method of gaining access, but recent reports suggest a transition towards the use of FileFix,” Steven Thomson, a senior security operations center analyst at Barrier Networks explained, adding that both tools have been observed being used to download and deploy a remote access trojan, which is then moved laterally to key devices in order to establish a foothold within the target environment.” Using “throwaway IP addresses” to communicate, the RAT also, according to a Barrier Networks investigation, uses “PowerShell commands to conduct reconnaissance within the victim’s network.” Exfiltrated data is moved into an Azure blob storage container, Thomson said, enabling the attackers to evade detection “by blending in with normal cloud activity.”
Erich Kron, a security awareness advocate at KnowBe4, meanwhile, told me that the use of compromised websites for drive-by malware downloads is “not very common in the world of ransomware,” but that Interlock is working hard to make a name for themselves so some tactics, such as using social engineering, are most certainly common. “Convincing people to install updates or fixes, really just disguised malware, in ClickFix attacks is not a new concept as fake updates or antivirus notifications have been around for years“ Kron pointed out, and to counter those organizations should “ensure their employees are aware of the campaigns and are taught to spot them, and that they are aware of the real and legitimate process the organization’s IT department uses to install patches or updates so they are not tricked into executing malware.”
Mitigating The Interlock Ransomware Threat — The FBI Recommendations
Mitigating the Interlock threat
Prevention is always better than cure, and that is no truer than when applied to the world of cybersecurity. Mitigating a threat is the priority for every security team, nobody wants to be dealing with the fallout of failings to do. The FBI is aware of this, which is why the cybersecurity alert features a large, red bullet point mitigation table at the top of the advisory. It’s also why it’s the focus of this article.
While the “actions for organizations to take today” list is, of course, extremely valuable, it is not the complete litigation picture. For that you need to dig deeper into the alert itself. Personally, I would move number four up to number one as well – especially the employing 2FA across accounts advice, as this is crucial in preventing the lateral movement and privilege escalation that enables a successful ransomware attack.
But anyhoo, let’s explore the full FBI mitigation advice in our own bullet point list, shall we?
- Require multi-factor authentication, or 2FA as many still refer to it, across all services and accounts where possible, but particularly “webmail, virtual private networks, and accounts that access critical systems.”
- Employ web access firewalls to prevent process injection from malicious domains, along with domain name system filtering to block access in the first place.
- Ensure all accounts comply with NIST password standards.
- Keep all operating systems, firmware and software up to date through a managed and prioritized patching system.
- Employ network segmentation to prevent lateral movement by adversaries.
- Review domain controllers, servers, workstations, and active directories for new or unrecognized accounts.
- Disable unused ports.
- Disabling utilities that run from the command line so as to make it harder for adversaries to escalate privileges and move laterally through the network.
And, as the FBI notes, implement a recovery plan!