my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Interlock Ransomware Had a Cisco Firewall Zero-Day Before Anyone Knew It Existed

John Z Black Mar 23, 2026 Ransomware & Cybercrime #ransomware #interlock #cisco #zero-day #vulnerability #cybercrime

Zero-days used to mean nation-states. The NSA. GRU. Unit 8200. Criminal ransomware groups used phishing emails and unpatched VPNs, not freshly discovered firewall flaws nobody had ever seen.

That’s changing. The Interlock group is a case study in how fast.

According to reporting from Dark Reading, SecurityWeek, and Cisco Talos, Interlock had access to a critical vulnerability in Cisco ASA and FTD firewall products for weeks before Cisco publicly disclosed or patched it. They used that zero-day as initial access – getting into victim networks through the very devices organizations trusted to keep attackers out.

The exploitation window is exactly when attackers do the most damage. Defenders had no patch to apply and no official guidance that the flaw even existed. Multiple victims were compromised before Cisco disclosed anything. Interlock’s known target profile includes healthcare organizations and government entities, targets that maintain serious security programs and would be difficult to breach through conventional means.

How does a ransomware group get a Cisco firewall zero-day? Money, mostly. High-end ransomware operations have been extorting tens of millions of dollars from enterprise targets. At that revenue level, acquiring or brokering a high-value zero-day starts to look affordable. The vulnerability research market has also matured: more researchers, more automated discovery tooling, more brokers. Nation-states are still dominant buyers, not the only ones.

For defenders, this breaks something important. The perimeter security model assumes you know what vulnerabilities exist in your perimeter. When attackers are using vulnerabilities nobody’s disclosed yet, that model fails in ways that are hard to compensate for at the perimeter layer.

Network monitoring and behavioral detection inside the perimeter matters more now. If attackers walk through your firewall cleanly, the only way to catch them is what happens next: lateral movement, unusual authentication, data staging. You can’t count on the perimeter to stop what it doesn’t know it’s facing.

For Cisco ASA and FTD administrators specifically: yes, apply the patch. Also go back and look at your logs from the six weeks before this was disclosed. If Interlock was using this during that window and you’re a healthcare or government org, a retrospective hunt is worth running.

The mental model where zero-day exploitation is a nation-state problem is behind the curve. Interlock isn’t the Lazarus Group. They’re financially motivated criminals who had a Cisco firewall zero-day.

Plan accordingly.

Read the full breakdown of Interlock’s zero-day campaign and what it means for enterprise defenders