CISA Recommends Segmentation & Zero Trust to Combat Interlock Ransomware
On July 22, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), issued a cybersecurity advisory that warns organizations about a new ransomware variant known as Interlock.
This human-operated ransomware is known for stealing and encrypting sensitive data, often followed by extortion demands. And like many modern ransomware campaigns, its success hinges on one key factor — lateral movement.
Segmentation is a critical step
Among its recommendations, CISA includes segmentation, one of the most effective defenses against these attacks.
Segmenting your network isn't just good advice. It's a critical step for organizations that are looking to defend against sophisticated, targeted ransomware attacks like Interlock.
The Akamai Guardicore Platform, which builds on our core segmentation component, is uniquely positioned to help organizations meet CISA’s recommendations — especially with regard to lateral movement — with a multilayered Zero Trust architecture that also includes DNS filtering, access control, threat hunting, and behavioral enforcement.
What is Interlock ransomware?
Interlock is a strain of human-operated ransomware observed in active campaigns that are targeting U.S. organizations across sectors. Unlike opportunistic, automated attacks, Interlock is often deployed after attackers gain an initial foothold.
In some instances, the FBI observed Interlock actors using a known social engineering technique. Then, through phishing, Remote Desktop Protocol (RDP), or exposed VPN services, the attackers manually navigate the network to find and exfiltrate high-value data.
Some of the other techniques observed in these campaigns include:
- Using native Windows tools like PsExec for lateral movement
- Deploying Cobalt Strike and AnyDesk for command and control (C2)
- Leveraging targeted encryption of sensitive virtual machines and other assets, often after exfiltrating data for double extortion
This is the kind of attack that thrives in flat, overly permissive environments, where a compromise in one system quickly becomes a compromise everywhere.
CISA’s mitigation playbook
CISA’s advisory offers multiple technical and strategic mitigations. Some of the most critical include
- Segmenting networks to contain lateral movement
- Applying the principle of least privilege across accounts and access paths
- Monitoring for unauthorized remote tools like AnyDesk and TeamViewer
- Applying application allowlisting and behavioral analysis
Among these, network segmentation stands out as a foundational control that prevents attacks from spreading, even if initial access is achieved.
Why network segmentation is so critical
Here’s the reality: Most ransomware damage doesn’t happen at the point of initial compromise. It happens after the attacker moves laterally. That’s how threat actors find your domain controllers, backups, financial data, and crown jewel applications.
Flat networks give them freedom — but well-segmented networks stop them cold.
Granular network segmentation (like microsegmentation) shrinks the attack surface, isolates critical systems, and helps contain breaches before they spread.
How the Akamai Guardicore Platform helps you meet CISA’s guidance
Though network segmentation is our core functionality, CISA’s mitigation checklist goes beyond that by spanning the entire attack lifecycle — from preventing initial access to containing lateral movement and securing privileged credentials.
Each component of The Akamai Guardicore Platform directly supports CISA’s guidance, including stopping initial access at the door, closing vulnerability gaps, stopping lateral movement cold, and enforcing secure access.
Stop initial access at the door
CISA’s recommendation
“Implement domain name system (DNS) filtering services to prevent access to malicious websites, including phishing and command-and-control domains.”
How Akamai helps
Akamai Guardicore’s DNS Firewall capabilities enforces DNS-layer protection to:
- Block communication with known malicious domains
- Prevent users from reaching phishing pages and malware hosts
- Limit exposure to C2 infrastructure used by ransomware groups
- Integrate with security awareness programs by reducing successful phishing attempts
This proactive control prevents attackers from establishing a foothold in the environment, which is often the very first step in a ransomware kill chain.
Close vulnerability gaps
CISA’s recommendation
“Ensure operating systems, software, and firmware are patched and up to date. Prioritize known exploited vulnerabilities.”
How Akamai helps
The Akamai Guardicore Insight module, combined with Akamai Hunt, provides advanced threat detection and telemetry analysis to:
- Identify unpatched or vulnerable assets across your environment
- Monitor for abnormal behaviors tied to exploitation techniques
- Surface indicators of compromise (IOCs) and suspicious flows
- Power threat hunting and incident investigation workflows
This visibility ensures you can detect, prioritize, and mitigate known vulnerabilities before adversaries exploit them.
Stop lateral movement cold
CISA’s recommendation
“Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization.”
How Akamai helps
This is Akamai Guardicore’s core strength. Our software-based segmentation enforces Zero Trust controls at the workload, process, and user levels to:
- Contain compromised devices
- Prevent attackers from pivoting to crown-jewel systems
- Ringfence legacy or unpatchable assets
- Apply least-privilege policies across hybrid environments
Unlike traditional firewalls or VLANs, Akamai Guardicore Segmentation can be deployed rapidly and provides real-time enforcement and visibility across cloud, data center, and endpoint environments.
Enforce secure access
CISA’s recommendation
“Implement identity, credential, and access management policies across the organization and require multifactor authentication (MFA) for all services.”
How Akamai helps
Akamai Guardicore Access along with Akamai MFA brings Zero Trust to the login layer by:
- Enforcing FIDO2 multi-factor authentication for all privileged and remote access
- Verifying user identity before granting access to segmented workloads
- Providing fine-grained access policies based on user, device, and risk posture
- Ensuring that even if credentials are stolen, attackers can’t get in
This helps organizations prevent credential abuse, a leading cause of initial compromise in ransomware incidents like Interlock.
Real-world results from ransomware defenses
Customers using the Akamai Guardicore Platform have:
- Prevented ransomware from reaching business-critical assets or customer data
- Segmented legacy machines that couldn't be patched
- Used ringfencing techniques to isolate infected systems before the damage spreads
- Recovered faster by securing backup environments and preventing re-infection
These are the types of outcomes that enable you to be resilient and recover more quickly from a ransomware scenario, as did a large financial services company.
Getting ahead of the next attack
CISA’s advisory is not just about responding to Interlock — it’s also about preparing for the next threat. Ransomware groups are evolving, using double or triple extortion techniques, targeting remote access infrastructure, and exploiting flat networks across industries.
Segmenting your environment with the Akamai Guardicore Platform is one of the most impactful things you can do to reduce ransomware risk and align with proven, government-backed cybersecurity recommendations.
Take the next step
Don’t wait for ransomware to dictate your next move. Take proactive steps today.
Explore how the Akamai Guardicore Platform works via a guided demo, or read our white paper Risk Mitigation, Prevention, and Cutting the Kill Chain.
