Threat Actor Profile
High Cybercriminal
Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': None,
 'firstseen': '2023-12-01T15:54:47.154169+00:00',
 'group': 'interlock',
 'has_negotiations': False,
 'has_ransomnote': True,
 'lastseen': '2026-04-15T19:15:01.921744+00:00',
 'locations': [{'available': True,
                'fqdn': 'ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion',
                'slug': 'http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/support/step.php',
                'title': 'Interlock',
                'type': 'Chat'}],
 'negotiation_count': 0,
 'ransomnotes_count': 4,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': True,
                     'locations': [{'available': True,
                                    'fqdn': 'ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion',
                                    'slug': 'http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/support/step.php',
                                    'title': 'Interlock',
                                    'type': 'Chat'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 4,
                     'ransomware_live_group': 'interlock',
                     'tools': {'CredentialTheft': [],
                               'DefenseEvasion': ['ProcessHacker',
                                                  'ThreatFire System Monitor '
                                                  'driver (BYOVD)'],
                               'DiscoveryEnum': ['Advanced Port Scanner',
                                                 'Azure Storage Explorer'],
                               'Exfiltration': ['AZCopy', 'WinSCP'],
                               'LOLBAS': ['PsExec'],
                               'Networking': ['PuTTY'],
                               'Offsec': ['Cobalt Strike'],
                               'RMM-Tools': ['AnyDesk', 'ScreenConnect']},
                     'url': 'https://www.ransomware.live/group/interlock',
                     'victims': 103,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {'CredentialTheft': [],
           'DefenseEvasion': ['ProcessHacker',
                              'ThreatFire System Monitor driver (BYOVD)'],
           'DiscoveryEnum': ['Advanced Port Scanner', 'Azure Storage Explorer'],
           'Exfiltration': ['AZCopy', 'WinSCP'],
           'LOLBAS': ['PsExec'],
           'Networking': ['PuTTY'],
           'Offsec': ['Cobalt Strike'],
           'RMM-Tools': ['AnyDesk', 'ScreenConnect']},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/interlock',
 'victims': 103,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home