New Interlock Ransomware Group Targets US Healthcare Organizations
An emerging ransomware group has its sights set on the healthcare industry and has been conducting attacks since at least September 2024, according to Cisco Talos Incident Response. Interlock ransomware is a financially motivated threat group that claims that in addition to conducting attacks for monetary gain, does so to teach organizations a lesson for their poor security practices. Based on the attacks in the first couple of months, Interlock engages in big game hunting, targeting large organizations with the financial means to pay large ransoms.
“We are Interlock, a relentless collective that exposes the recklessness of companies failing to protect their most critical assets: customer data and intellectual property. We exploit the vulnerabilities they leave wide open, delivering a harsh but necessary wake-up call to those who think they can cut corners on security… We don’t just want payment; we want accountability,” explained Interlock on its data leaks blog site. “Your data is only as safe as the effort you put into protecting it… we are here to enforce the standards that they fail to uphold.”
An analysis of one recent Interlock ransomware attack by the Cisco Talos IR team identified several tactics, techniques, and procedures (TTPs) used by the group. While the group says it exploits vulnerabilities, the group gained initial access to the victim’s network by tricking a user into installing a fake Google Chrome browser update via a compromised legitimate news website. The executable file was downloaded from the URL of a legitimate retailer whose site had been compromised. The executable file delivered a remote access tool (RAT), which dropped a Windows shortcut file into the Windows StartUp folder to run the remote access tool each time the user logged in.
The RAT collects information from the device, encrypts that information, establishes a connection with the Interlock command and control (C2) server, and sends the encrypted data to the C2 server. The RAT also delivered a credential sealer and keylogger and disabled the endpoint detection & response (EDR) software and attempted to delete the contents of event logs to avoid detection.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Interlock primarily uses remote desktop protocol along with the compromised credential for lateral movement and also uses the remote access tools AnyDesk and LogMeIn for remote connectivity. PuTTY was installed to allow lateral movement to Linux hosts. Data was exfiltrated to a remote Azure storage location using AzCopy, then ransomware was deployed to encrypt files. Interlock took 17 days from the initial compromise to file encryption and demanded a response to the ransom demand within 96 hours.
Victims so far have included U.S. healthcare organizations, technology firms, and the government, with manufacturing firms attacked in Europe. The stolen data is published on the Interlock Worldwide Secrets blog if the ransom is not paid. The Cisco Talos team suggests Interlock may be a breakaway from the Rhysida ransomware group due to overlapping TTPs, but only made that connection with a low level of confidence.
