Interlock Ransomware Exploited Zero-Day in Cisco Firewall Before Patch Ransomware group Interlock exploited a maximum-severity zero-day vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center more than a month before the vendor released a patch. The flaw, allowing unauthenticated remote attackers to execute arbitrary Java code as root, was actively abused starting January 26, while Cisco issued fixes on March 4. Amazon’s CJ Moses, CISO of Amazon Integrated Security, revealed the timeline, stating that the company’s MadPot honeypot network detected exploit traffic tied to Interlock’s infrastructure. A misconfigured server also exposed the group’s attack toolkit, providing defenders with critical intelligence. ### Interlock’s Tactics and Toolkit Interlock, a ransomware crew active since 2025, has targeted hospitals, medical facilities, and government entities, disrupting critical services including chemotherapy sessions and pre-surgery appointments and leaking sensitive data. Victims include Davita (kidney dialysis), Kettering Health, and the city of Saint Paul, Minnesota, where a 43 GB data breach forced a state of emergency. The group’s post-exploitation toolkit includes: - A PowerShell script harvesting system details (OS, hardware, services, software, storage, VM inventory, user files, RDP logs, and browser data). - Custom remote access trojans (RATs) in JavaScript and Java, providing persistent access, command execution, file transfer, and SOCKS5 proxy capabilities. - A Bash script configuring Linux servers as reverse proxies, wiping logs, and ensuring persistence. - Memory-resident backdoors and lightweight network beacons to evade detection. - Legitimate tools like ConnectWise ScreenConnect, Volatility, and Certify to blend malicious activity with authorized remote access. ### Redundant Access and Extortion Tactics Interlock deploys multiple backdoors including dual-language implants (JavaScript and Java) to maintain access even if one is detected. Their ransom notes threaten regulatory exposure, leveraging compliance violations alongside data encryption and leaks to pressure victims. Cisco has updated its security advisory, urging customers to apply patches immediately. The incident underscores the growing sophistication of ransomware groups in exploiting zero-days before public disclosure.

Kettering Health, a major healthcare provider, fell victim to a ClickFix attack linked to the Interlock ransomware group, resulting in a significant data breach. The attack exploited social engineering tactics, tricking employees into executing malicious scripts via browser-based lures (e.g., fake CAPTCHAs or error-fixing prompts). The malicious payload was copied to the clipboard via obfuscated JavaScript and executed locally, bypassing traditional email security and endpoint detection. The breach compromised sensitive patient and employee data, including medical records, financial details, and personally identifiable information (PII). The attack leveraged SEO poisoning and malvertising via Google Search, evading conventional phishing defenses. Despite EDR (Endpoint Detection and Response) being the last line of defense, the obfuscated, user-initiated commands delayed detection, allowing the ransomware to encrypt critical systems. The incident disrupted healthcare operations, risked patient safety due to delayed treatments, and exposed Kettering Health to reputational damage, financial penalties, and potential legal liabilities. The breach underscored vulnerabilities in both technical controls and user awareness, particularly against browser-based, fileless attacks.

New AI-Assisted Malware "Slopoly" Linked to Hive0163 Ransomware Campaigns A recently identified malware strain, Slopoly, is being deployed in ransomware attacks tied to the financially motivated threat group Hive0163. Security researchers at IBM X-Force report that the backdoor shows signs of generative AI-assisted development, marking an emerging trend in cybercriminal tooling. The malware was used in an Interlock ransomware attack where attackers lingered on a compromised server for over a week, exfiltrating sensitive data. The intrusion began with a ClickFix social-engineering tactic, followed by the installation of Slopoly as a PowerShell script communicating with a command-and-control (C2) server. While Slopoly’s code includes unusually polished features such as detailed comments, structured logging, and robust error handling researchers could not confirm which large language model (LLM) was used in its creation. Despite its self-described "polymorphic" label, the malware lacks true polymorphic capabilities, instead relying on a builder tool to randomize configuration values like beaconing intervals and C2 addresses. Once deployed in C:\ProgramData\Microsoft\Windows\Runtime\, Slopoly performs several functions: - Collects system information - Sends heartbeat signals to the C2 server every 30 seconds - Polls for commands every 50 seconds - Executes commands via cmd.exe and relays results - Maintains persistence via a scheduled task named "Runtime Broker" The malware supports commands for downloading and executing payloads (EXE, DLL, JavaScript), running shell commands, adjusting beaconing intervals, updating itself, or terminating its process. In the same campaign, attackers also deployed NodeSnake and InterlockRAT backdoors before delivering the Interlock ransomware via the JunkFiction loader. First observed in 2024, the Interlock ransomware operation is known for ClickFix and FileFix social-engineering techniques and has previously targeted organizations like Texas Tech University System, DaVita, Kettering Health, and the city of Saint Paul, Minnesota. IBM researchers also noted possible connections between Hive0163 and developers linked to other malware families, including Broomstick, SocksShell, PortStarter, SystemBC, and Rhysida ransomware, suggesting overlapping tools or collaboration within the cybercrime ecosystem.