Interlock ransomware claims a DC housing agency and a refugee charity

The ransomware crew known as Interlock has added a run of new organizations to its dark web extortion site over the past two days, and the list reads like a cross section of everyday public services. Among the fresh entries are the District of Columbia Housing Authority, which runs public and affordable housing in the United States capital, and the Centre for Newcomers, a Calgary charity that helps immigrants and refugees settle in Canada. Two manufacturers, Paragon Store Fixtures in the United States and Converting Equipment International in the United Kingdom, were listed alongside them.

The important caveat first: these are unverified claims. A name on a ransomware leak site is a pressure tactic, not proof of a breach. The gang posts victims to force payment, and inclusion does not confirm that data was stolen or that operations were disrupted. None of the named organizations has publicly confirmed an incident, and IntelFusions has not independently verified the listings. We are reporting what Interlock claims, attributed to its own leak site, because the pattern of targets is worth watching.

Who is Interlock

Interlock is a double extortion operation, meaning it both encrypts a victim's files and steals data to threaten publication if a ransom goes unpaid. It has been active since 2024 and drew a joint advisory from United States authorities in 2025 after a string of intrusions against healthcare providers, local government, and other critical services. The crew is known for luring victims through fake software updates and browser prompts rather than noisy mass exploitation. You can read our full profile of the group on the Interlock threat actor page.

Why these targets matter

Public housing authorities and refugee services hold exactly the kind of sensitive personal data, such as identity documents, financial records, and case files, that makes extortion effective, because the people behind the records are often vulnerable and the organizations are rarely resourced for a drawn out incident. Manufacturers, the other half of this batch, remain a perennial ransomware favorite because production downtime creates immediate pressure to pay. The spread across the United States, Canada, and the United Kingdom fits Interlock's opportunistic style rather than any single country focus.

A busy month for leak sites

Interlock's activity lands in the middle of an unusually loud stretch for ransomware leak sites. In recent days IntelFusions has tracked mass postings from other crews, including The Gentlemen dumping nearly 20 victims in a single day and DragonForce posting more than 20 victims in three days. The volume is a reminder that extortion crews are competing for attention, and that a listing today may reflect an intrusion that happened weeks earlier.

What defenders should do

The playbook against groups like Interlock is unglamorous but effective. Keep offline, tested backups so encryption is a recoverable event rather than a catastrophe. Enforce phishing resistant multi factor authentication, since stolen credentials and fake update lures are common entry points. Train staff to distrust unexpected browser prompts to update software or run commands. Segment networks so a single foothold cannot reach everything, and rehearse an incident response plan that assumes data theft, not just encryption, so a leak site listing does not become the first time leadership hears of a breach.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions