The cybersecurity landscape is facing a new and sophisticated threat from the Interlock ransomware group, which has been observed employing an innovative technique to disable critical security software. This advanced tactic involves exploiting a zero-day vulnerability within a legitimate gaming anti-cheat driver, allowing the attackers to bypass Endpoint Detection and Response (EDR) and antivirus (AV) solutions. The Interlock group, primarily targeting the education sector in the US and UK, operates as a dedicated team rather than a RaaS operation, showcasing a high level of technical proficiency and control over their attack chain.
Researchers have detailed how the Interlock ransomware actors are leveraging a technique known as “Bring Your Own Vulnerable Driver” (BYOVD) to achieve potent evasion capabilities. By exploiting a previously unknown flaw in a gaming anti-cheat driver, identified as a zero-day vulnerability (CVE-2025-61155), the attackers can inject malicious code into the kernel. This enables them to execute privileged commands, effectively disabling the very security measures designed to protect organizations from such threats.
Interlock Ransomware’s Sophisticated Evasion Method
A key element of Interlock’s offensive strategy is a custom-built tool referred to as “Hotta Killer.” This potent malware, packaged as a DLL file named `polers.dll`, is designed to systematically neutralize security software. The group achieves this by introducing a modified version of a legitimate gaming driver, renamed to `UpdateCheckerX64.sys`. This driver, harboring the zero-day vulnerability, grants the attackers the power to operate at the deepest levels of the operating system.
The process begins with the dropping of the malicious driver. Subsequently, the `polers.dll` component is injected into system processes, aiming to mask its presence and operations. Through the creation of a symbolic link, the malware establishes communication with the compromised kernel driver. This communication channel is then used to specifically target processes associated with security software, often identified by patterns such as “Forti*.exe.” By relaying the Process IDs (PIDs) of these legitimate security tools to the kernel driver, the attackers can forcibly terminate them, rendering an organization’s defenses inert.
Attack Chain and Impact
The Interlock group’s initial access is frequently initiated through a MintLoader infection, often delivered via social engineering tactics involving “ClickFix” lures. Once inside a network, the attackers utilize a JavaScript implant known as NodeSnakeRAT to facilitate lateral movement. They exhibit a proficiency in “living off the land,” employing legitimate system tools and valid user accounts to establish persistence and conduct thorough reconnaissance of the compromised environment.
The impact of an Interlock intrusion is multifaceted and severe. The group engages in both data theft and encryption, employing double-extortion tactics to maximize leverage over their victims. Tools like AZcopy are reportedly used to exfiltrate substantial volumes of sensitive data to cloud storage before the ransomware payload is deployed. This ensures that even if an organization possesses robust backups, the threat of public data exposure remains a powerful incentive to pay the ransom.
The group’s adaptability is further demonstrated by their ability to deploy ransomware not only on Windows endpoints but also within Nutanix hypervisor environments. This capability highlights their technical reach and the broad scope of potential targets.
Mitigation Strategies Against Interlock
To counter the evolving tactics of the Interlock ransomware group, organizations are advised to implement stringent security measures. Blocking the unauthorized execution of remote access software is paramount. Furthermore, restricting workstation-to-workstation communication via SMB and RDP protocols can significantly hinder lateral movement within a network. Proactive measures also include blocking outbound PowerShell network connections, which are often used to download malicious payloads.
The continuous discovery and exploitation of vulnerabilities like the one found in the gaming anti-cheat driver underscore the dynamic nature of cyber threats. Security researchers anticipate that attackers will continue to exploit legitimate software and drivers to bypass security controls. Organizations must remain vigilant, regularly update their security software, and adopt defense-in-depth strategies to protect against sophisticated ransomware operations.