- FileFix is a new technique to deploy malware, born out of ClickFix
- It works by tricking users into pasting commands into File Explorer
- The resulting compromise leads to Interlock encryptors
The dreaded ClickFix malware deployment technique has evolved, and the new variant – dubbed ‘FileFix’ – is being used in ransomware attacks.
ClickFix is a technique in which victims are presented with a fake problem (for example, a fake CAPTCHA, or a fake virus infection alert), and then provided with a fix. That “fix” usually revolves around pasting a command into the Windows Run program that was copied to the clipboard through the compromised website’s JavaScript.
The command, in most cases, is to download and run a piece of malware.
Interlock ransomware
Now, FileFix builds on that foundation. Instead of pasting commands into Run, victims are told to paste a copied string into File Explorer’s address bar. Thanks to comment syntax, the string looks like a file path but is, in fact, a PowerShell command.
In a few attacks which the researchers spotted in the wild, running this command through File Explorer delivers a PHP-based variant of Interlock Remote Access Trojan (RAT).
This RAT executes a number of different commands, including gathering system and network information. It also enumerates Active Directory, checks for backups, navigates local directories, and examines domain controllers. Ultimately, the RAT can deploy the Interlock ransomware encryptor.
Interlock first emerged in late September 2024, with public detection in November 2024. It gained attention for its novel FreeBSD-targeting encryptors alongside Windows variants.
Among its more notable victims are Wayne County, Michigan, Texas Tech University Health Sciences Center, Heritage Bank & McCormick–Priore, and Kettering Health.
It is known for using the standard double-extortion tactic, exfiltrating sensitive company files before encrypting the systems.
As of mid-2025, Interlock has claimed about 14 known attacks, roughly one-third in healthcare. This change in delivery tactics suggests the ransomware is being actively developed, and that it will continue to pose a major threat to organizations around the world.
Via BleepingComputer
You might also like
