Headline
Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks
Quorum Cyber identifies two new NodeSnake RAT variants, strongly attributed to Interlock ransomware, impacting UK higher education and local government.
Cybersecurity firm Quorum Cyber has uncovered two new versions of malicious software known as NodeSnake. This discovery highlights a possible shift in targets for the Interlock ransomware group, which is believed to be behind these attacks.
Quorum Cyber’s Threat Intelligence team has been tracking NodeSnake and strongly believes it is connected to Interlock ransomware. This connection is based on the shared online infrastructure used by the attackers.
The team noticed similar malicious code used in attacks on two universities in the United Kingdom within two months. The same attackers likely placed both NodeSnake RATs at these universities. Furthermore, the two NodeSnake variants are from the same family, with the newer one showing significant improvements.
A screenshot from Interlock ransomware gang’s dark web leak site shows a UK country being listed as a victim (Image credit: Hackread.com)
According to Quorum Cyber’s research, shared with Hackread.com, NodeSnake is a type of Remote Access Trojan (RAT). RATs are dangerous because they allow attackers to take control of infected computers from afar. This means attackers can access files, watch what users are doing, change computer settings, and even steal or delete important information remotely while the RATs stay hidden in the system and even introduce other harmful programs.
Interlock ransomware, first seen in September 2024, has typically focused on large or valuable organizations across North America and Europe. This group is known for double-extortion tactics, where they encrypt data and threaten to release it unless a ransom is paid.
Interlock Ransomware gang’s ransom note (Image credit: Quorum Cyber)
Unlike many other ransomware groups, Interlock doesn’t operate as a service for others and has no known partners. It can attack both Linux and Windows computer systems, giving it a wide range of targets.
However, recent activity suggests Interlock is now also targeting local government bodies and higher education institutions. In April 2025, Hackread.com reported Interlock stole a staggering 20 terabytes (TB) of sensitive patient data from DaVita Healthcare, a major healthcare provider specializing in kidney dialysis treatment.
This shift in targets is concerning. As Paul Caiazzo, Chief Threat Officer at Quorum Cyber, explained, “We have observed threat actors increasingly targeting universities this year to exfiltrate valuable intellectual property, including research data, and possibly to test and hone new tactics, techniques, and procedures before potentially applying them in other sectors.”
Caiazzo added that the theft of research data points to a motivation related to espionage. Quorum Cyber continues to monitor Interlock and NodeSnake to help organizations protect their important information. The company is offering a detailed technical analysis and recommendations to lessen the impact of the malware in its NodeSnake report available here.