Feds Alert Health and Other Industries About Interlock Risks

U.S. officials have raised concerns about the ransomware group Interlock, which has recently targeted a variety of sectors, notably healthcare, using a ransomware variant identified in September 2024. This warning comes in light of multiple incidents affecting organizations across North America and Europe.

A joint alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the U.S. Department of Health and Human Services highlights Interlock’s modus operandi, which involves data exfiltration followed by system encryption. The group’s dark web presence lists numerous victims, including healthcare providers, educational institutions, and manufacturers.

Among the notable healthcare entities affected are Kettering Health in Ohio and DaVita Inc. in Colorado. Kettering Health manages over a dozen facilities in Western Ohio, while DaVita operates thousands of dialysis centers both domestically and internationally. Such incidents demonstrate Interlock’s reach and the vulnerabilities present in essential services.

The ransomware employed by Interlock poses risks for both Windows and Linux systems, as noted in the federal alert. Uniquely, this group gains initial access through drive-by downloads from compromised websites, deviating from the more common methods employed by other ransomware actors. The ClickFix social engineering technique has also been observed, wherein users are deceived into executing malicious files intended to rectify system issues.

Security analysts indicate that Interlock is opportunistic in its targeting, lacking a specific focus on healthcare. Nevertheless, its activity emphasizes weaknesses in the sector’s cybersecurity postures, particularly due to uninformed system segmentation. The correlation between outdated electronic health records systems and unsecured medical devices creates ideal conditions for attackers.

Recent research indicates that Interlock has engaged in a double-extortion approach, presenting threats of data theft alongside encryption to amplify pressure on victims. This model not only heightens risks to patient privacy but also complicates regulatory compliance, particularly within healthcare environments critical to patient care.

Interlock has initiated 51 attacks across sectors since late 2024, with seven specifically targeting healthcare, according to data from the Health Information Sharing and Analysis Center (Health-ISAC). The potential for these attacks to disrupt vital services aligns with the MITRE ATT&CK framework, where tactics such as initial access through drive-by downloads and lateral movement across networks suggest a structured approach that prioritizes exploitation vulnerabilities.

Given the threats posed by groups like Interlock, industry experts advocate for robust cybersecurity practices, including the use of multi-factor authentication and regular system updates. By prioritizing security posture and implementing effective segmentation, organizations can better protect themselves against evolving ransomware threats.