Skip to main content
kcheung
Staff
kcheung
Staff
April 3, 2026

FortiGuard Outbreak Alert: Interlock Ransomware Attacks

  • April 3, 2026
  • 0 replies
  • 153 views
Description

FortiGuard Labs have observed an active Interlock ransomware campaign which exploits vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC) as the initial access vector.
Successful exploitation of the vulnerability enables unauthenticated attackers to execute arbitrary code with root privileges.

 

After gaining initial access, the attackers executed a multi-step attack chain which includes the use of file-less implants, custom-designed malware, and remote access tools.

 

For detailed information about the campaign, refer to the following articles:

CVE ID    

 CVE-2026-20131

FortiNDR Cloud Coverage

FortiNDR Cloud v26.1b+

  • PowerShell
    • Legitimate Windows tool used in campaign to download malicious files.
Detection Rule Name Category Primary MITRE ID
PowerShell HTTP Traffic to External Destination Attack: Installation T1059.001 - PowerShell
  • Interlock RAT
    • Malicious remote access tool (RAT) used by Interlock Ransomware campaign to gain persistent access.
Detection Rule Name Category Primary MITRE ID

Interlock RAT Command and Control Custom Message

 Attack: Command and Control T1071.001 - Web Protocols
  • ConnectWise ScreenConnect
    • Legitimate remote desktop software used by Interlock Ransomware campaign to gain persistent access.
Detection Rule Name Category Primary MITRE ID
Potentially Unauthorized ScreenConnect Remote Administration Tool SSL Certificate Posture: Potentially Unauthorized Software or Device T1071 - Application Layer Protocol
  • AzCopy
    • Legitimate Azure Storage copy tool used by Interlock Ransomware Campaign to exfiltrate more than 250GB of data from the victim’s file server to Azure storage bucket.
    • FortiNDR Cloud Behavioral Observation “Large Outbound Data Transfer to Cloud or New Domain” detects suspicious large data transfers to Azure storage bucket using Azcopy.
Picture1.png

Playbook 

 N/A

Threat Hunting

 FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for "Interlock Ransomware Attacks" related activities.
IOC source: Interlock Ransomware Attack | Indicators of Compromise
All IOCs relating to "Interlock Ransomware Attacks" have been added to FortiNDR Cloud Threat Intelligence Intel Feed.

Suricata/DPI Coverage

Customers can create custom investigation/detections using the Suricata and DPI signatures below:

  • Suricata (sig_id):
    • 2062408 -> ET MALWARE Interlock RAT CnC Checkin
    • 2061804 -> ET MALWARE Interlock RAT CnC Checkin
    • 2050021 -> ET INFO Observed DNS Query to Known ScreenConnect/ConnectWise Remote Desktop Service Domain
  • DPI (dpi_vuln_id):
    • 58492 -> Interlock.RAT.Botnet
    • 38570 -> ScreenConnect

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to Interlock Ransomware Attacks.

 
Terms & ConditionsAccessibility statement