top of page
Search

Interlock’s NodeSnake RAT Sinks Its Fangs into UK Universities, Signals Dangerous New Chapter in Ransomware Evolution

A new chapter in ransomware attacks is unfolding—and it’s stealthier, smarter, and more insidious than ever.


The Interlock ransomware gang, first emerging in September 2024, has quietly escalated its threat profile with the deployment of a custom-built remote access trojan (RAT) known as NodeSnake. Designed for persistence and stealth, the malware has already been detected in attacks on at least two UK universities in early 2025, according to fresh intelligence from QuorumCyber researchers.


Unlike typical ransomware payloads that scream for attention, NodeSnake lurks silently, digging deep into academic networks. This JavaScript-based RAT, executed using Node.js, is engineered to establish long-term access and evade detection. Its tactics? Heavy code obfuscation, randomized file naming, and the cunning use of deceptive Registry entries—like impersonating a Google Chrome updater—to slip past traditional defenses.


“The Interlock ransomware gang has been observed deploying a remote access trojan (RAT) called NodeSnake against educational institutions,” said Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka. “The group is continuing its recent streak of activity, having claimed responsibility for attacks on Texas Tech University, DaVita kidney dialysis, and Kettering Health.”

This evolution marks a strategic shift. Ransomware groups are increasingly moving away from smash-and-grab encryption campaigns and leaning into espionage-grade access mechanisms. NodeSnake exemplifies that shift: it detaches into the background, exfiltrates system metadata, kills processes, and can load additional malware—all while disguising its presence and relaying information back through Cloudflare-proxied domains.


Each new variant of NodeSnake appears more sophisticated than the last. The March 2025 strain, for example, added the ability to execute CMD commands and dynamically alter command-and-control polling behavior—a move that allows attackers to interact with infected systems in near real-time.


The risks to academic institutions are especially grave. Open network designs, diverse user bases, and research-driven infrastructure make universities ideal soft targets.


“Installing NodeSnake RAT against educational institutions can have severe and far-reaching consequences,” warned Sood. “Once deployed, NodeSnake could enable attackers to gain persistent, covert access to university systems, allowing them to exfiltrate sensitive research data, intellectual property, financial records, and personally identifiable information (PII) of students and staff.”

“This intrusion can disrupt academic operations, erode trust among stakeholders, and result in regulatory penalties if data protection laws are violated. Moreover, attackers can use the access to pivot across systems, escalate privileges, or even deploy additional malware, compounding the damage.”

Security researchers say the presence of NodeSnake is a clear signal that Interlock isn’t just another smash-and-encrypt group—they’re playing the long game. That makes early detection and layered defense more critical than ever.


“To combat RAT and ransomware attacks, institutions should implement a multi-layered defense strategy,” Sood emphasized. “That includes robust endpoint detection and response (EDR), zero-trust network access (ZTNA), strict network segmentation, and regular system patching. Additionally, continuous monitoring, threat intelligence integration, and frequent offline backups are crucial for detecting, containing, and recovering from attacks swiftly while minimizing operational disruption.”

The full list of indicators of compromise (IOCs) tied to NodeSnake is available in the QuorumCyber report. Security teams across sectors—particularly education—would be wise to take notice. With tools like NodeSnake, Interlock isn’t just looking for ransom payments anymore. They’re burrowing in—and staying.

bottom of page