The Interlock ransomware group exploited a maximum-severity vulnerability in Cisco adaptive security appliances (ASA) or Firepower Threat Defense (FTD) firewalls, gaining persistent network access weeks before deploying ransomware payloads. The extended dwell time allowed extensive reconnaissance, lateral movement, and data exfiltration prior to the ransomware deployment event. Cisco issued patches for the vulnerability but organizations with delayed patching were compromised. Interlock has targeted healthcare, manufacturing, and government organizations. The use of a CVSS 10.0 network edge vulnerability as an initial access vector — rather than phishing — represents a shift in Interlock’s TTPs. Affected organizations were advised to immediately patch Cisco perimeter devices.