1 min read

Joint advisory flags Interlock ransomware as an active cross-sector threat

CISA and partner agencies say Interlock ransomware activity is affecting businesses and critical infrastructure, with current guidance focused on access control, segmentation, patching, and phishing defense.

Summary

CISA and partner agencies say Interlock ransomware activity is affecting businesses and critical infrastructure, with current guidance focused on access control, segmentation, patching, and phishing defense. In July 2025, CISA, the FBI, the US Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center issued a joint advisory on Interlock ransomware. The advisory says the guidance is intended to help businesses and critical infrastructure organisations in North America and Europe defend against Interlock activity, using indicators of compromise and tactics identified through recent FBI investigations.

What happened

In July 2025, CISA, the FBI, the US Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center issued a joint advisory on Interlock ransomware. The advisory says the guidance is intended to help businesses and critical infrastructure organisations in North America and Europe defend against Interlock activity, using indicators of compromise and tactics identified through recent FBI investigations.

Who is affected

  • businesses with internet-facing infrastructure and uneven patch discipline
  • healthcare and public-sector operators watching HHS-linked guidance closely
  • security teams responsible for access control, segmentation, and phishing resistance

Why it matters

This is another example of ransomware defense guidance moving beyond isolated victim reporting and into a standing defensive posture. The mitigation guidance is familiar but still important: patch exposed systems, reduce initial access opportunities, segment networks, and tighten identity controls. When agencies keep publishing this style of cross-sector advisory, the message is that ransomware resilience is still being lost through basic weaknesses rather than exotic failure modes.

Assessment

This is another example of ransomware defense guidance moving beyond isolated victim reporting and into a standing defensive posture. The mitigation guidance is familiar but still important: patch exposed systems, reduce initial access opportunities, segment networks, and tighten identity controls. When agencies keep publishing this style of cross-sector advisory, the message is that ransomware resilience is still being lost through basic weaknesses rather than exotic failure modes.

Key follow-on points to watch include:

  • whether Interlock appears more often in public incident attribution
  • whether follow-on reporting links the group to particular sectors or recurring access paths
  • whether organisations operationalise the guidance instead of treating it as another alert to file away
  • review whether the issue is relevant to your environment, suppliers, or exposed systems
  • patch, harden, or validate logging and monitoring coverage where applicable
  • monitor follow-on developments, especially whether Interlock appears more often in public incident attribution
  • whether follow-on reporting links the group to particular sectors or recurring access paths
  • whether organisations operationalise the guidance instead of treating it as another alert to file away

Further reading