Interlock, a sophisticated ransomware threat, has been expanding since its first appearance in September 2024. The malware uses a multi-stage attack chain, compromising legitimate websites to deliver fake browser updates to unsuspecting users. The group operates across various sectors in North America and Europe, using an opportunistic target selection approach. Interlock cannot be classified as a Ransomware-as-a-Service (RaaS) operation, as no advertisements for recruiting affiliates have been discovered. The group maintains a data leak site called “Worldwide Secrets Blog” where they expose victim data and provide negotiation channels. Despite continuing operations, Interlock has claimed fewer victims than more prolific ransomware groups that claimed over one hundred victims in Q1 2025 alone. Sekoia Threat Detection & Research (TDR) team analysts have identified significant evolution in Interlock’s tactics since its emergence. The initial infection vector relies on social engineering, tricking users into downloading and executing fake browser updates. The attackers have evolved their tactics, switching from browser update lures to security software updaters, masquerading as security products.