Interlock ransomware gang exploited Cisco firewall zero-day weeks before disclosure: Amazon

The ransomware gang behind a damaging cyberattack last year on the city of St. Paul recently exploited a vulnerability in a popular line of Cisco firewalls before the bug was disclosed publicly.

CJ Moses, CISO of Amazon Integrated Security, released a report on Wednesday outlining the Interlock ransomware gang’s exploitation of CVE-2026-20131 — a critical vulnerability disclosed on March 4 affecting Cisco Secure Firewall Management Center software.

According to Moses, Interlock began using the vulnerability in attacks on January 26. Cisco did not respond to requests for comment but updated its advisory on Wednesday to confirm that the vulnerability has been exploited. 

“This wasn’t just another vulnerability exploit, Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” Moses said. 

“The real story here isn’t just about one vulnerability or one ransomware group — it’s about the fundamental challenge zero-day exploits pose to every security model. When attackers exploit vulnerabilities before patches exist, even the most diligent patching programs can’t protect you in that critical window.”

Cisco Secure Firewall Management Center is a centralized platform where administrators can manage Cisco firewalls from a single interface. 

Moses said they disclosed their findings to Cisco so guidance can be sent to customers. 

Amazon was able to discover information on exploitation of the bug and Interlock’s operations through a misconfigured infrastructure server that served as a staging area for the ransomware gang. 

The security researchers found a trove of custom malware, reconnaissance scripts, evasion techniques and more. 

They also found the Interlock ransom note and negotiation portal, which is how they attributed exploitation to the gang. 

“The ransom note’s invocation of multiple data protection regulations reflects Interlock’s documented practice of citing regulatory exposure to pressure victims, essentially threatening organizations not just with data encryption, but with regulatory fines and compliance violations,” Moses wrote. 

They noted that Interlock has historically targeted organizations that can ill afford operational downtime, like local governments and schools. 

The government of St. Paul, Minnesota, struggled for weeks to recover from an Interlock ransomware attack and the governor of the state was forced to call in the National Guard to assist in the recovery effort. 

The group’s attacks on the dialysis treatment company DaVita and one of the largest healthcare systems in Ohio caused outrage and exposed the sensitive health information of millions. 

According to Moses, the education sector represents the largest share of their activity. The ransomware gang’s leak site has listed multiple K-12 schools over the last six months, including several that reported cyberattacks or intrusions that caused wide-ranging issues for the educational institutions. 

Amazon researchers noticed that the actors typically operated in UTC+3, the timezone of Moscow and several Middle Eastern countries.  

Moses added that alongside the malicious tools Amazon researchers discovered, they found Interlock using an array of legitimate security tools during attacks, including ConnectWise ScreenConnect, incident response tool Volatility, offensive security product Certify, and more. 

The FBI and other federal agencies said last year that Interlock emerged in September 2024 and has repeatedly targeted critical infrastructure and businesses across North America and Europe. 

The advisory noted that analysts had identified potential links between Interlock and Rhysida — another ransomware operation known for its attacks on governments around the world.