Threat Actor Profile — INTERLOCK
Aliases & Affiliation: Currently tracking as INTERLOCK. Threat intelligence suggests a RaaS (Ransomware-as-a-Service) model or a closed group utilizing sophisticated access brokers.
Ransom Model: Employing a double-extortion strategy. INTERLOCK exfiltrates sensitive data prior to encryption and threatens public release on their dark web leak site to pressure victims into payment.
Initial Access Vectors: INTERLOCK demonstrates a high technical capability in exploiting enterprise perimeter defenses. Current intelligence confirms active exploitation of:
- VPN/Perimeter Appliances: Targeting CVE-2026-50751 (Check Point Security Gateway) and CVE-2026-20131 (Cisco Secure Firewall FMC).
- Remote Management Tools: Leveraging CVE-2024-1708 (ConnectWise ScreenConnect) for authenticated remote code execution.
- Legacy Services: Exploiting Microsoft Exchange deserialization flaws (CVE-2023-21529).
Operational Tempo: The group maintains a low volume of postings (1 victim in the last 100 posts), suggesting a "big game hunting" or highly targeted approach rather than automated mass exploitation. Average dwell time is estimated at 3–5 days, allowing time for extensive lateral movement and data staging.
Current Campaign Analysis
Sector Focus: The latest data indicates a sharp pivot or continued focus on the Education sector, specifically K-12 institutions (e.g., Borger ISD).
Geographic Concentration: United States.
Victim Profile: The targeting of Independent School Districts (ISDs) suggests a focus on mid-sized entities with mature networks but potentially stretched IT security teams, likely holding sensitive PII/PHI data but lacking robust segmentation.
Observed Patterns:
- Escalation: The group is actively weaponizing CVEs added to the CISA KEV catalog in early-to-mid 2026.
- CVE Connection: The compromise of Borger ISD likely involves the exploitation of CVE-2026-50751 (Check Point) to bypass the perimeter, followed by CVE-2024-1708 (ScreenConnect) for lateral movement and command-and-control (C2) establishment. The use of the Nx Console vulnerability (CVE-2026-48027) suggests potential supply chain or developer-environment compromise in wider operations.
Detection Engineering
SIGMA Rules
---
title: Potential ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 6a5b91c0-9a2e-4c5f-8b1d-3e4f5a6b7c8d
description: Detects suspicious command execution spawned by ConnectWise ScreenConnect processes, often indicative of exploitation of CVE-2024-1708 or web shell activity.
status: experimental
date: 2026/07/11
author: Security Arsenal Research
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains:
- 'ConnectWiseControl.Client.exe'
- 'ScreenConnect.Service.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Legitimate administrative use via ScreenConnect
level: high
tags:
- cve.2024.1708
- ransomware.interlock
- initial.access
- execution
---
title: Check Point Security Gateway IKEv1 Anomaly Detection
id: 7b6c02d1-0b3f-5d6g-9c2e-4f5g6a7b8c9d
description: Detects indicators of exploitation attempts against CVE-2026-50751 involving improper authentication in IKEv1 key exchange, observed in INTERLOCK campaigns.
status: experimental
date: 2026/07/11
author: Security Arsenal Research
logsource:
product: checkpoint
service: vpn
detection:
selection:
protocol: 'ikev1'
message|contains:
- 'authentication failed'
- 'ike failure'
src_ip|cidr:
- '0.0.0.0/0' # Filter based on known bad IPs or geolocation if possible
filter:
dst_port: 500
condition: selection | count() > 10
falsepositives:
- Misconfigured VPN clients
- Legacy VPN scanner noise
level: high
tags:
- cve.2026.50751
- ransomware.interlock
- perimeter.breach
---
title: Suspicious Volume Shadow Copy Deletion via VssAdmin
id: 8c7d13e2-1c4g-6e7h-0d3f-5g6h7a8b9c0e
description: Detects commands used to delete Volume Shadow Copies, a common step in ransomware playbooks to prevent recovery, associated with INTERLOCK pre-encryption activity.
status: experimental
date: 2026/07/11
author: Security Arsenal Research
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
condition: selection
falsepositives:
- System administration scripts
level: critical
tags:
- ransomware.interlock
- impact
- defense.evasion
KQL (Microsoft Sentinel)
Hunt for lateral movement patterns consistent with INTERLOCK using PsExec or WMI, often seen after perimeter bypass.
let TimeFrame = 1d;
Process
| where Timestamp >= ago(TimeFrame)
| where Image in~ ("C:\\Windows\\System32\\cmd.exe", "C:\\Windows\\System32\\powershell.exe", "C:\\Windows\\System32\tm\regsvr32.exe")
| where ParentProcessName contains "PsExec" or ParentProcessName contains "wmiprvse" or CommandLine contains "-enc"
| project Timestamp, Computer, Account, Image, CommandLine, ParentProcessName
| order by Timestamp desc
PowerShell Rapid Response Script
Script to enumerate scheduled tasks created recently (often used for persistence) and check for active RDP sessions.
# INTERLOCK Response Check: Scheduled Tasks & RDP Sessions
Write-Host "Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
$schTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($schTasks) {
Write-Host "[ALERT] Found recently created/modified scheduled tasks:" -ForegroundColor Red
$schTasks | Select-Object TaskName, Date, Author, Actions | Format-Table -AutoSize
} else {
Write-Host "[OK] No suspicious recent scheduled tasks found." -ForegroundColor Green
}
Write-Host "\nChecking for active RDP sessions..." -ForegroundColor Yellow
$queryResults = query user
if ($queryResults) {
Write-Host "Active sessions found:" -ForegroundColor Cyan
$queryResults
} else {
Write-Host "No active RDP sessions." -ForegroundColor Green
}
---
Incident Response Priorities
T-minus Detection Checklist:
- VPN Logs: Review Check Point and Cisco FMC logs for spikes in IKEv1 failures or authentication anomalies (CVE-2026-50751, CVE-2026-20131).
- Remote Access: Audit ConnectWise ScreenConnect logs for web login anomalies or unauthorized file transfers.
- Process Audit: Hunt for
PsExecorWMIexecution chains originating from non-admin workstations.
Critical Assets for Exfiltration: INTERLOCK prioritizes data that disrupts operations. In Education sectors, focus containment on:
- Student Information Systems (SIS).
- Finance and Payroll databases.
- HR records containing sensitive PII.
Containment Actions:
- Isolate: Immediately disconnect the internet-facing management interfaces (ScreenConnect, VPN appliances) from the internal network.
- Revoke: Force-reset credentials for all local and domain admin accounts used on the compromised VPN device.
- Segment: Isolate the affected VLAN (e.g., Admin/Servers) from student/educator networks to stop lateral spread.
Hardening Recommendations
Immediate (24h):
- Patch: Apply patches for CVE-2026-50751 (Check Point) and CVE-2024-1708 (ConnectWise ScreenConnect) immediately. If patching is delayed, disable the specific services (IKEv1 or ScreenConnect web interface) temporarily.
- MFA Enforcement: Ensure multi-factor authentication (MFA) is enforced strictly on all VPN and remote access portals; INTERLOCK is exploiting authentication bypasses, so robust MFA acts as a critical layer of defense.
Short-term (2 weeks):
- Network Segmentation: Move administrative interfaces (VPN, Firewall Management, ScreenConnect) to a dedicated, isolated management VLAN, inaccessible from the general internal network.
- Audit Exposed Services: Conduct an external scan to identify and remove any unnecessary remote management tools exposed to the internet.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.