Interlock Ransomware Group Exploits Critical Cisco Firepower Zero-Day Vulnerability in Sophisticated 2026 Campaign

Evolution of the Interlock Ransomware Operation

Interlock emerged in mid-2024 as a successor-style group following the decline of several legacy ransomware families. Early activity showed modest ransom demands and limited technical sophistication. By late 2025 the operation had matured significantly, adopting a full ransomware-as-a-service structure with dedicated initial-access brokers, exploit developers, negotiators, and leak-site maintainers.

The group now maintains multiple affiliate tiers. Tier-1 affiliates receive higher profit shares in exchange for providing high-quality access into large enterprises, government contractors, and critical infrastructure operators. Tier-2 affiliates handle smaller targets or secondary compromises within already breached networks.

Interlock differentiates itself through aggressive data exfiltration prior to encryption. Operators routinely extract several terabytes of internal documentation, financial records, employee PII, source code repositories, and customer databases. This material is staged on high-bandwidth offshore servers before any ransom note appears.

Leak sites associated with Interlock update frequently, sometimes multiple times per day during active campaigns. Posted samples typically include internal emails, scanned passports of executives, audited financial statements, and proprietary CAD drawings. The group has demonstrated willingness to sell stolen data on underground forums when victims refuse to pay.

Discovery and Timeline of CVE-2026-20131 Exploitation

The vulnerability CVE-2026-20131 affects the web-based administrative interface of Cisco Firepower Management Center versions 7.4.0 through 7.6.1. The flaw stems from improper handling of user-supplied input during session token validation, leading to a classic stack-based buffer overflow condition.

Proof-of-concept exploit code surfaced in private Russian-language Telegram channels on January 28, 2026. Within 72 hours, Interlock-affiliated actors began automated mass scanning using custom tooling that fingerprints vulnerable FMC instances via banner grabbing and certificate analysis.

First confirmed compromise linked to this zero-day occurred on February 2, 2026 against a mid-sized U.S. regional bank. The attacker maintained persistence for 19 days, exfiltrating over 4.2 TB of data before triggering encryption on February 21. Cisco became aware of active in-the-wild exploitation through incident response partners on March 10, 2026 and issued an out-of-cycle security advisory with patches on March 17, 2026.

Detailed Exploitation Mechanics

Exploitation begins with a single unauthenticated POST request to the /api/system/login endpoint. The payload contains an oversized session token field that overflows a fixed-size buffer in the authentication handler running as root. Successful exploitation grants a root shell within the FMC operating environment.

Once inside, attackers disable syslog forwarding, stop the FMC health monitoring service, and patch the vulnerable code path in-memory to prevent re-exploitation by competing actors. A lightweight implant is then installed that maintains persistence via modified crontab entries and masquerades as legitimate Cisco diagnostic processes.

From the compromised FMC, operators issue API commands to connected Firepower Threat Defense devices. These commands create permissive access rules, disable intrusion prevention signatures related to known ransomware indicators, and export internal configuration backups containing hashed credentials and VPN profiles.

Lateral movement proceeds using harvested credentials combined with legitimate remote management tools such as SSH, WinRM, and PowerShell remoting. Attackers frequently abuse the FMC’s own internal trust relationships to pivot into segmented internal zones without triggering perimeter alerts.

Data Exfiltration and Staging Infrastructure

Interlock prefers multi-hop exfiltration chains to obscure origin. Initial staging servers are typically compromised cloud instances in Southeast Asia or Eastern Europe. Data is then relayed through residential proxies before reaching final C2 infrastructure hosted behind Cloudflare or similar CDN services.

Exfiltration occurs in compressed, encrypted chunks using the group’s custom protocol over HTTPS. Each chunk is AES-256 encrypted with per-file keys derived from a master RSA-4096 keypair. The master private key remains exclusively on operator-controlled infrastructure.

Operators have been observed using legitimate file-sharing services for smaller datasets when speed is prioritized over stealth. In several cases Dropbox Business, OneDrive for Business, and Mega.nz accounts belonging to compromised employees were abused for outbound data transfer.

Ransomware Payload Characteristics

The Interlock encryptor uses a hybrid encryption scheme combining ChaCha20 for file content and RSA-OAEP for per-file keys. Encrypted files receive the .interlock extension along with an additional 32-byte marker appended to the end for verification during decryption.

Encryption skips files smaller than 4 KB, files with .dll, .exe, .sys, or .inf extensions in system directories, and known backup file types to maximize recoverable damage. Shadow copy deletion is performed via vssadmin and wmic commands executed with SYSTEM privileges.

Ransom notes are dropped as HTML, TXT, and PNG files in every directory containing encrypted content. The note contains a unique victim ID, Tor onion address, and clear instructions to avoid third-party negotiators. Demands are presented in U.S. dollars with tiered discounts offered for rapid payment within 72 hours.

Victimology and Observed Targets

Confirmed victims include three U.S. regional hospitals, two Canadian provincial government departments, four European manufacturing conglomerates in automotive and aerospace sectors, one Australian energy utility, and several mid-tier financial services firms in the United Kingdom and Germany.

Particular focus has been placed on organizations that rely heavily on Cisco perimeter security stacks and maintain internet-facing FMC instances for distributed branch management. Entities with large remote workforces and extensive VPN deployments appear especially attractive due to the volume of sensitive traffic traversing Firepower devices.

In at least two incidents, attackers enumerated Active Directory trusts and moved laterally into partner organizations, resulting in supply-chain style secondary infections. This tactic has significantly expanded the blast radius beyond the initial victim.

Defensive Gaps and Hardening Recommendations

Many compromised organizations had not enabled administrative session restrictions on their FMC instances, leaving the management interface exposed to the entire internet. Cisco best practices recommend placing FMC behind a VPN concentrator or dedicated bastion host with strong multi-factor authentication.

Network segmentation remains critically under-implemented. Flat internal networks allow rapid lateral movement once the FMC is breached. Micro-segmentation using software-defined firewalls or identity-based policies can contain compromise to smaller zones.

Continuous monitoring of outbound traffic from security appliances is rare. Anomalous HTTPS connections originating from FMC management IPs should trigger immediate investigation. Deployment of network detection and response sensors focused on east-west traffic is strongly advised.

Immutable backups stored offline or in write-once-read-many storage remain the single most effective recovery mechanism. Regular testing of restoration procedures under simulated ransomware conditions is essential to validate recoverability.

Indicators of Compromise Summary

Key IOCs include outbound connections to known Interlock C2 domains, creation of scheduled tasks named “CiscoDiagUpdate” or “FMCHealthCheck”, unexpected root-level processes matching hash patterns of the group’s persistence implant, and large volumes of outbound HTTPS traffic to cloud storage providers during non-business hours.

Log analysis should focus on authentication failures followed by sudden successful logins from new IP ranges, changes to FMC system time zones, and modifications to /etc/crontab or systemd timers. File system artifacts typically appear in /var/tmp with randomly generated eight-character filenames ending in .tmp or .dat.