Fraud Management and Cybercrime, Healthcare, Industry Specific
Healthcare providers have been hit with dozens of entities since gangs first appeared in 2024
Marianne Kolbasuk McGee (HealthInfosec)•
July 23, 2025
US authorities are warning of the threat posed by double extension show gang interlocks, which are colliding with a variety of companies in many industries, including healthcare and other critical infrastructure sectors, with ransomware variants first seen in September 2024.
Reference: Top 10 Technology Forecasts for 2025
A joint warning from the Cybersecurity and Infrastructure Security Agency, the FBI, the US Department of Health and Human Services and the Multi-state Information Sharing and Analytics Centers said interlocks, which encrypt data, along with ransomware, are targeting organizations in North America and Europe.
As of Wednesday, Interlock's Dark website contained a long list of alleged victims across many sectors, including healthcare providers, schools, construction, manufacturing and real estate.
Listed as Interlock's recent healthcare victims, is Ohio-based Kettering Health, which operates 14 medical centers and more than 120 outpatient facilities in western Ohio, and Colorado-based Davita, which operates more than 3,100 dialysis and other kidney care facilities in the United States and 13 other countries.
According to federal alerts, the interlock ransomware encryption device is designed for both Windows and Linux operating systems. “These crypto companies have been observed to encrypt virtual machines on both operating systems,” the alert said.
Unlike most ransomware groups, interlocks get initial access via drive-by downloads from legitimate websites that have compromised, the Co-Advisory said.
“Actors were observed using initial access using Clickfix social engineering techniques, in which victims performed malicious payloads under the guise of fixing problems in the victim's system. Actors spread to other systems on the network using various methods for discovery, qualification access, and lateral movement.
The alert also notes that the interlock ransomware appears to have some similarities to the Rhysida ransomware variant, including code overlaps for both binaries.
“Ideal target”
Security researchers have been paying attention to interlocks since the group first appeared last September.
“There is no clear indication that interlocks are intentionally singled out the healthcare sector. Like many ransomware operators, they appear to be pursuing an inherently opportunistic target where vulnerabilities appear.”
“Interlocks are an active group. But keep in mind that their overall casualties are modest compared to key players like Clop, Akira and Qilin,” he said. To put that into perspective, Interlock has claimed 42 casualties so far this year, but those big gangs have each exceeded 350.
In addition to deploying payloads using drive-by downloads and rare click-fix methods, gangs also employ custom backdoors along with what appears to be a bespoke packer. “Together with a relatively small affiliate base, this gives their tactics a more handmade or 'craftsman' feel, as opposed to the industrial scale seen in other ransomware families,” he said.
Interlock's FileFix and Clickfix techniques bypass traditional endpoint defense, said JP Castellanos, director of threat intelligence for binary defense at security firms.
“They use native binaries or payloads that seem reliable because they require a bit of social engineering with interlocks to get users to use either technique. They are deceiving users to perform either technique, rather than relying on macros or exploits,” he said.
Unpublished electronic health records systems and unsecured internet of medical things devices are potentially major targets for interlock attackers, he said.
“These now represent ideal targets for ransomware groups like interlocks due to their inherent vulnerabilities, criticality, and systemic interdependence,” he said. In many cases, these systems are not properly segmented on the network, so when a network breach occurs, sophisticated attackers can move sideways and gain access.
“This makes it relatively easy to take advantage of, as EHR and IOMT devices often run out of data software and firmware, delayed patch cycles. The real prize money for the ransomware group can be found in the EHR.
“However, the increased ability to disrupt medical devices within hospitals creates more pressure, embarrassing, and potentially dangerous situations for these healthcare providers. This helps to put pressure on the organization for ransom negotiations.”
Among the factors contributing to interlocks and other cyberattack threats is that many healthcare sector entities have “too flat” networks.
Many of these organizations “have not done strictly segmented, particularly in terms of isolating front-office systems from more sensitive and vulnerable platforms such as EHRs and IOMT devices,” he said.
Recent attacks on Kettering Health are “a key example” of the challenges healthcare organizations face when they are targeted and hit by gangs like interlocks, Chronister said. “In that incident, interlocks moved the network sideways, affecting EHRs, telephone lines and internal systems.”
“Security teams need to separate and segment these high-risk assets.”
Take action
Health Information Sharing and Analytics Centre has observed 51 interlock attacks on all sectors since the group appeared in the last quarter of 2024, according to Erol Weiss, Health-ISAC chief security officer.
“Interlocks are of particular concern as they are routinely involved in data theft and forced data beyond ransomware encryption. This dual-expansion model significantly increases the risks to patient privacy and regulatory compliance,” he said.
“As Interlock focuses on the health sector, the defense industry foundation and other critical infrastructure sectors, their attacks are likely to destroy critical services and have a direct impact on patient safety and clinical continuity.”
Weiss strongly encourages organizations to implement critical security best practices and controls, including multifactor authentication for all critical accounts, privileged users, virtual private networks, and email systems.
Keep patches up to date, back up critical systems, test backups, actively participate in the information sharing community, continue to inform about emerging threats, develop incident response plans and test regularly. And he advised that staff will be provided with continuous cybersecurity awareness training.
“This situation highlights the immense value of a timely, peer-to-peer threat intelligence community, such as Health ISAC, where details of the incident from the victim are shared, providing important information for network defenders to actively block and detect malicious activity,” he said.
“While government alerts help with broader awareness, sector-specific ISACs often provide more detailed and practical intelligence faster.” In May, the Health ISAC and the American Hospital Association issued a joint recommendation on interlocking members with known indicators of compromise, he said.
