Recent investigations have unveiled significant connections between two prominent ransomware groups, Interlock and Rhysida. Both groups have been found to utilize a backdoor known as Supper, also referred to as SocksShell or WINDYTWIST, and share substantial portions of their malware codebases.
Interlock, active since September 2024, operates without external affiliates, relying on a proprietary suite of tools including NodeSnake, InterlockRAT, and the JunkFiction downloader. In contrast, Rhysida has been functioning as a Ransomware-as-a-Service (RaaS) platform since at least May 2023.
Analysts have identified the Supper backdoor in incidents attributed to both groups. This backdoor, first observed in July 2024, predates the development of NodeSnake and InterlockRAT. Notably, Supper was initially protected by the JunkFiction crypter, the same tool employed by Interlock for its malware.
By the end of 2025, each group had claimed approximately 80 victims, predominantly in the United States, with sectors such as healthcare, education, and government being the most affected.
Further code analysis reveals that InterlockRAT and Supper share nearly identical command structures, registration formats with command and control servers, and self-deletion methods. Additionally, NodeSnake, serving as the initial loader in many Interlock attacks, exhibits code logic and server address similarities with both JunkFiction and InterlockRAT.
These findings suggest a potential common origin or collaboration between the two groups, indicating a more interconnected ransomware ecosystem than previously understood. This underscores the necessity for cybersecurity professionals to adopt comprehensive and adaptive defense strategies to counteract these evolving threats.
