IBM X-Force's research reveals a two-year overview of the Interlock and Rhysida ransomware ecosystem, detailing connections between initial-access brokers, crypters, and backdoors. Interlock has been active since September 2024, using a custom toolkit, while Rhysida has operated as Ransomware-as-a-Service since May 2023. Both groups reported around 80 victims, predominantly in the U.S., with Interlock targeting education and Rhysida focusing on manufacturing.
The study suggests a potential lineage between the two, supported by shared malware such as the Supper backdoor and similarities in coding across various tools. Initial-access brokers and edge device exploitation are highlighted as significant aspects, with defenses recommended against the full chain of ransomware operations.