Cybersecurity agency Quorum Cyber has uncovered two new variations of malicious software program referred to as NodeSnake. This discovery highlights a potential shift in targets for the Interlock ransomware group, which is believed to be behind these assaults.
Quorum Cyber’s Menace Intelligence staff has been monitoring NodeSnake and strongly believes it’s related to Interlock ransomware. This connection is predicated on the shared on-line infrastructure utilized by the attackers.
The staff observed related malicious code utilized in assaults on two universities in the UK inside two months. The identical attackers seemingly positioned each NodeSnake RATs at these universities. Moreover, the 2 NodeSnake variants are from the identical household, with the newer one exhibiting vital enhancements.
In response to Quorum Cyber’s analysis, shared with Hackread.com, NodeSnake is a sort of Distant Entry Trojan (RAT). RATs are harmful as a result of they permit attackers to take management of contaminated computer systems from afar. This implies attackers can entry recordsdata, watch what customers are doing, change pc settings, and even steal or delete vital info remotely whereas the RATs keep hidden within the system and even introduce different dangerous packages.
Interlock ransomware, first seen in September 2024, has usually centered on massive or useful organizations throughout North America and Europe. This group is understood for double-extortion ways, the place they encrypt knowledge and threaten to launch it except a ransom is paid.
In contrast to many different ransomware teams, Interlock doesn’t function as a service for others and has no identified companions. It could possibly assault each Linux and Home windows pc programs, giving it a variety of targets.
Nevertheless, current exercise suggests Interlock is now additionally concentrating on native authorities our bodies and better training establishments. In April 2025, Hackread.com reported Interlock stole a staggering 20 terabytes (TB) of delicate affected person knowledge from DaVita Healthcare, a serious healthcare supplier specializing in kidney dialysis therapy.
This shift in targets is regarding. As Paul Caiazzo, Chief Menace Officer at Quorum Cyber, defined, “We’ve got noticed menace actors more and more concentrating on universities this 12 months to exfiltrate useful mental property, together with analysis knowledge, and presumably to check and hone new ways, strategies, and procedures earlier than probably making use of them in different sectors.”
Caiazzo added that the theft of analysis knowledge factors to a motivation associated to espionage. Quorum Cyber continues to watch Interlock and NodeSnake to assist organizations shield their vital info. The corporate is providing an in depth technical evaluation and proposals to minimize the affect of the malware in its NodeSnake report accessible right here.
