Outbreak Alert Interlock Ransomware Attack Released: Mar 19, 2026 Download PDF » Share Interlock Ransomware Attack Ransomware Tags Critical Severity Cisco Vendor Share Subscribe Overview Analysis Solutions Threat Intelligence References Subscribe Overview Analysis Solutions Threat Intelligence References Campaign Targeting Enterprise Firewalls An active Interlock ransomware campaign is exploiting a critical vulnerability (CVE-2026-20131) in Cisco Secure Firewall Management Center (FMC), enabling unauthenticated remote code execution as root. The campaign combines edge-device exploitation, custom malware tooling, and double extortion tactics, indicating a mature and targeted ransomware operation. Learn More » Common Vulnerabilities and Exposures CVE-2026-20131 Background Amazon threat intelligence identified an active Interlock ransomware campaign exploiting a critical Cisco Secure Firewall Management Center (FMC) vulnerability (CVE-2026-20131), enabling unauthenticated remote code execution on internet-facing devices. The vulnerability was exploited as a zero-day for over a month prior to disclosure, allowing attackers to gain early and widespread access. Attackers leveraged compromised firewall infrastructure as an initial foothold into enterprise networks, deploying a multi-stage attack chain that includes fileless implants, custom malware, and remote access tooling. The campaign emphasizes stealth, persistence, and extensive reconnaissance, including collection of system, credential, and network data before ransomware deployment. Overall, the campaign highlights a shift toward edge device exploitation as a primary entry point, combining zero-day vulnerabilities, fileless techniques, and double extortion to achieve full enterprise compromise with reduced detection opportunities. FortiGuard Labs has previously tracked the Interlock threat actor and its associated activities since its emergence in September 2024, with continued evolution observed through 2025 campaigns and into early 2026, including detailed analysis published on January 29, 2026. Click here to analyze the Real-Time Threat Map Latest Development Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered. Organizations should immediately apply Cisco security patches for Cisco Secure Firewall Management Center (FMC), specifically addressing CVE-2026-20131, to mitigate active exploitation risk associated with Interlock ransomware operations. March 18, 2026: Amazon threat intelligence identified an active Interlock ransomware campaign exploiting CVE-2026-20131 https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/ January 29, 2026: Inside a multi-month Interlock ransomware intrusion and the evolving tradecraft behind it https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks FortiGuard Cybersecurity Framework Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services. PROTECT AV Behavior Detection Post-execution Web & DNS Filter DETECT IOC Outbreak Detection RESPOND Automated Response Assisted Response Services RECOVER NOC/SOC Training End-User Training IDENTIFY Attack Surface Hardening AV Detects known malware related to the Outbreak FortiADC DB 93.06831 FortiCASB DB 93.06831 FortiCWP DB 93.06831 FortiClient DB 93.06831 FortiGate DB 93.06831 FortiMail DB 93.06831 FortiProxy DB 93.06831 FortiSASE DB 93.06831 FortiWeb DB 93.06831 Behavior Detection FortiSandbox Post-execution FortiEDR Web & DNS Filter FortiGate IOC FortiAnalyzer FortiCloud SOCaaS FortiSIEM FortiSOAR Outbreak Detection FortiAnalyzer DB 2.00093 Automated Response Services that can automaticlly respond to this outbreak. FortiXDR Assisted Response Services Experts to assist you with analysis, containment and response activities. Incident Response NOC/SOC Training Train your network and security professionals and optimize your incident response to stay on top of the cyberattacks. NSE Training Response Readiness End-User Training Raise security awareness to your employees that are continuously being targeted by phishing, drive-by download and other forms of cyberattacks. Security Awareness & Training Attack Surface Hardening Check Security Fabric devices to build actionable configuration recommendations and key indicators. Security Rating Threat Intelligence Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities. ✖ References Sources of information in support and relation to this Outbreak and vendor. Amazon Threat Blog Learn More » FortiGuard Labs Blog Learn More » About FortiGuard Outbreak Alerts Learn More »