Interlock is a double-extortion ransomware family grabbing headlines. CISA’s fresh #StopRansomware advisory links the group to drive-by downloads, fake browser updates and abused remote-management tools that let attackers slip inside networks, encrypt data and threaten public leaks. My years at Cisco Talos gave me an early view of these tradecraft shifts, and Talos’ own research largely appears to be the basis for CISA’s warning.

DNS protection stops the first beacon

CISA’s first mitigation is simple: filter malicious domains at the DNS layer. ThreatSTOP delivers exactly that through our Protective DNS services:

  • DNS Defense Cloud lets you point resolvers to our cloud service and block known-bad queries automatically.

  • DNS Defense places the same intelligence on your own resolvers, keeping traffic local while staying protected.

When Interlock tries to phone home for instructions or payloads, the query never leaves your resolver.

From resolver to router; complete coverage

Interlock pivots fast, moving from HTTP to RDP to raw IP traffic. IP Defense pushes identical threat intelligence to routers, firewalls, IPS sensors and AWS WAF. Malicious packets hit a deny rule before touching your hosts, giving you uniform protection no matter the protocol.

One-click control of risky tools

The advisory highlights attacker reliance on AnyDesk, Cobalt Strike and ScreenConnect for command-and-control and lateral movement.   ThreatSTOP’s Application Controls make mitigation immediate. Add these tools to your policy with a single click and every protected resolver, router and firewall enforces the decision within minutes.

Intelligence authored by practitioners

Our Security, Intelligence and Research team curates thousands of proprietary and third-party feeds covering command and control, invalid traffic, peer-to-peer tunnelling, data exfiltration, phishing, spam, Distributed Denial of Service activity and more. Updates flow to your enforcement points continually, so you stay ahead of emerging threats like Interlock.

Turning research into rapid protection

Cisco Talos measured Interlock’s dwell time, Azure-based data exfiltration and FreeBSD encryptor variants. That insight now informs the indicators and rules our team ships daily, so ThreatSTOP customers convert leading research into real-time blocks without lifting a finger.

MITRE ATT&CK alignment

 

Tactic

Technique

How ThreatSTOP disrupts it

Initial Access

T1189 Drive-By Compromise

Protective DNS blocks malicious update domains

Execution

T1059.001 PowerShell

IP Defense denies known script-hosting IPs

Persistence

T1547.001 Startup Items

Application Controls disable AnyDesk autostart

Credential Access

T1555.003 Browser Credential Theft

DNS sinkholes stealer C2 endpoints

Lateral Movement

T1021.001 RDP

IP Defense blocks attacker jump servers

Command & Control

TA0011 Remote Tooling

One-click blocks for Cobalt Strike, AnyDesk, ScreenConnect

Exfiltration

T1567.002 Azure Blob

Resolver policy denies Storage Explorer hostnames

Impact

T1486 Data Encryption

Early DNS and IP blocks prevent payload retrieval

 

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers. Get started with a demo today!

Connect with Customers, Disconnect from Risks