Clickfix Pop-Ups: The Simple Tactic Fuelling a New Wave of Ransomware Attacks
David Neeson
Deputy SOC Team Lead
In less than a year, one of the web’s most disliked chores – fielding the constant flow of pop-up messages today’s websites throw at users – has quietly turned into a source of huge anxiety for security teams across the world.
The pop-up nobody can avoid today is the consent cookie, usually followed by a second pop-up asking users to subscribe to a mailing list. However, in a small but growing number of cases, a third and very different pop-up is appearing at some point during a session, either asking visitors to update their browser to fix an “error” or to complete a CAPTCHA.
Pop-ups are not new, but this particular pop-up is of a different order. This is the Clickfix pop-up, and it has earned its fearful reputation in a recent string of ransomware attacks that is rapidly turning into one of the biggest hazards faced by today’s organisations.
Barrier Networks’ Security Operations Centre (SOC) team recently got a ringside seat on the damage this simple-sounding technique can do when it helped an organisation recover from a serious ransomware incident. After investigation, it was discovered that patient zero was an employee working from home on a laptop who’d come face-to-face with a Clickfix pop up while browsing a website.
The exact pop-up involved is not known, but most likely it would have been disguised as an official-looking CAPTCHA. At some point, the employee would have been asked to click on a fix button, possibly followed with instructions on how to enable Windows PowerShell. Unfortunately, the individual complied, infecting their laptop with a Remote Access Trojan (RAT) backdoor. After returning to the organisation’s offices, the laptop acted as a bridgehead for lateral spread, unleashing ransomware mayhem only days later.
Barrier identified the ransomware as Interlock, a threat actor that since 2024 has been using Clickfix for initial targeting. Pop ups sound basic but as we’ve seen from the example above, plus at least one other major ransomware compromise we dealt with in the UK earlier in 2025, they are now a potent threat vector. In the above example, clicking on the CAPTCHA fix initiated the download of the RAT from a malicious URL.
Enabling Windows PowerShell would have allowed the attackers to use native scripting to proceed with the attack rather than traditional malware that would be more easily detected.
Why is Clickfix so successful?
Clickfix is really a form of social engineering which makes it challenging to defend against at a human level. Social engineering exploits the user’s expectations, in this case it’s the pop ups and CAPTCHAS used to trick recipients. Users are less likely to see these pop up types as suspicious because they encounter them all the time, so clicking on them is a bit of a habit that requires no second thoughts.
Clickfix is also incredibly hard to defend against at a technical level. By exploiting the ‘living off the land’ modus operandi of using only the native tools it finds on targeted systems, Clickfix avoids the need to download malware. This abuse of legitimate applications makes these attacks much harder to spot using conventional EDR tools because activity mimics non-suspicious behaviour.
How can organisations defend themselves?
Educate the workforce
Educating users is an essential first line of defence. Very few employees will have heard of Clickfix attacks and won’t know how to recognise them. Simply showing the threat will make them more wary in future, an easy win for defenders.
Turn off PowerShell
Ensure legacy versions such as PowerShell 2.0 are disabled on standard employee systems. While it's a core OS component, most users do not require it, and disabling it significantly hinders living off the land techniques. For newer versions of PowerShell, enable script block logging and configure event forwarding to a SIEM. This setup helps detect unusual activity such as PowerShell being invoked by a standard user.
Fine-tune EDR
Make sure EDR tools are configured to monitor for indicators of compromise (IOCs), such as PowerShell use or unusual JavaScript dialogs. On most endpoints, these activities usually signal something malicious.
Address calendar weaknesses
Clickfix is more than drive-by opportunism. Once the attackers have an initial compromise, they wait for a moment of weakness to launch ransomware. Organisations need to consider how they can defend themselves 24x7 without leaving gaps.
Consider using a SOC
Whether internal or external, SOCs offer compelling advantages defending against attacks such as Clickfix, including constantly updated threat intelligence on real-world campaigns, specialised inhouse skills and 24x7 security coverage. The latter is particularly important in countering calendar attacks (attacks at weekends or during vacations) that exploit lower staffing levels.