Ransomware attacks have reached an unprecedented scale in the healthcare sector, exposing vulnerabilities that put millions at risk. Recently, UnitedHealth revealed that 190 million Americans had their personal and healthcare data stolen during the Change Healthcare ransomware attack, a figure that nearly doubles the previously disclosed total.
This breach shows just how deeply ransomware can infiltrate critical systems, leaving patient trust and care hanging in the balance.
One of the groups that targets this already fragile sector is the Interlock ransomware group. Known for their calculated and sophisticated attacks, they focus on hospitals, clinics, and other medical service providers.
Interlock Ransomware Group: An Active Threat to Healthcare
The Interlock ransomware group is a relatively recent but dangerous player in the world of cybercrime, known for employing double-extortion tactics.
This method involves encrypting a victim’s data to disrupt operations and threatens to leak sensitive information if ransom demands are not met. Their primary motivation is financial gain, and their methods are tailored to maximize pressure on their targets.
Notable characteristics
Sophistication: The group uses advanced techniques like phishing, fake software updates, and malicious websites to gain initial access.
Persistence: Their ability to remain undetected for long periods amplifies the damage they can cause.
Rapid deployment: Once inside a network, they quickly move laterally, stealing sensitive data and preparing systems for encryption.
Tailored ransom demands: The group carefully assesses the value of the stolen data to set ransom amounts that victims are likely to pay.
Recent Targets by Interlock Ransomware Group
In late 2024, Interlock targeted multiple healthcare organizations in the United States, exposing sensitive patient information and severely disrupting operations. Victims included:
Brockton Neighborhood Health Center: Breached in October 2024, with the attack remaining undetected for nearly two months.
Legacy Treatment Services: Detected in late October 2024.
Drug and Alcohol Treatment Service: Compromised data uncovered in the same period.
Interlock Ransomware Group Attack Chain
The Interlock ransomware group begins its attack with a strategic and highly deceptive method known as a Drive-by Compromise. This technique allows the group to gain initial access to targeted systems by exploiting unsuspecting users, often through carefully designed phishing websites.
Initial Attack of the Ransomware
The attack starts when the Interlock group either compromises an existing legitimate website or registers a new phishing domain. These sites are carefully crafted to appear trustworthy, mimicking credible platforms like news portals or software download pages. The sites often contain links to download fake updates or tools, which, when executed, infect the user’s device with malicious software.
Example: ANY.RUN’s interactive sandbox detected a domain flagged as part of Interlock’s activity, apple-online.shop. The latter was designed to trick users into downloading malware disguised as legitimate software.
This tactic effectively bypasses the initial layer of user suspicion, but with early detection and analysis, SOC teams can quickly identify malicious domains, block access, and respond faster to emerging threats, reducing the potential impact on business operations.
apple-online.shop flagged as part of Interlock’s activity inside ANY.RUN sandbox
Equip your team with the tools to combat cyber threats.
Get a 14-day free trial and analyze unlimited threats with ANY.RUN.
Execution: How Interlock Gains Control
Once the Interlock ransomware group breaches initial defenses, the Execution phase begins. At this stage, attackers deploy malicious payloads or execute harmful commands on compromised devices, setting the stage for full control over the victim’s network.
Interlock ransomware often disguises its malicious tools as legitimate software updates to deceive users. Victims unknowingly launch fake updaters, such as those mimicking Chrome, MSTeams, or Microsoft Edge installers, thinking they are performing routine maintenance. Instead, these downloads activate Remote Access Tools (RATs), which grant attackers full access to the infected system.
Inside ANY.RUN’s sandbox session, one of the updaters, upd_8816295.exe, is clearly identified within the process tree on the right-hand side, showing its malicious behavior and execution flow.
Fake updater analyzed inside ANY.RUN sandbox
By clicking the Malconf button on the right side of the ANY.RUN sandbox session, we reveal the encrypted URL hidden within the fake updater.
Analysts receive detailed data in a clear and user-friendly format, helping companies improve their threat response workflows, reduce analysis time, and achieve faster and more effective results when fighting against cyber threats.
Decrypted malicious URL inside ANY.RUN sandbox
Compromising Sensitive Access
The next step of the attack is to steal access credentials. These credentials grant attackers the ability to move laterally within the network and further exploit the victim’s infrastructure.
The Interlock ransomware group used a custom Stealer tool to harvest sensitive data, including usernames, passwords, and other authentication credentials. According to reports, this stolen information was stored in a file named “chrgetpdsi.txt”, which served as a collection point before exfiltration.
Using ANY.RUN’s TI Lookup tool, we uncovered that this Stealer was detected on the platform as early as August 2024.
Interlock Stealer detected by ANY.RUN
Lateral Movement: Expanding the Foothold
During the Lateral Movement phase, attackers spread across the network to access additional systems and resources. The Interlock ransomware group relied on legitimate remote administration tools such as Putty, Anydesk, and RDP, often used by IT teams but repurposed for malicious activities.
Data Exfiltration: Extracting Stolen Information
In this final stage, attackers exfiltrate stolen data out of the victim’s network, often using cloud storage services. The Interlock ransomware group, for instance, leveraged Azure cloud storage to transfer data outside the organization.
Inside the ANY.RUN Sandbox we can see how the data is being sent to attacker-controlled servers.
For example, here logs revealed information being transmitted to IP 217[.]148.142.19 over port 443 during an Interlock attack.
Data sent by the RAT to attacker-controlled servers revealed by ANY.RUN
Proactive Protection Against Ransomware in Healthcare
The healthcare sector is a prime target for ransomware groups like Interlock, with attacks that jeopardize sensitive patient data, disrupt critical services, and put lives at risk. Healthcare organizations must stay cautious and prioritize cybersecurity measures to protect their systems and data.
Early detection is the key to minimizing damage. Tools like ANY.RUN Sandbox allow healthcare teams to identify threats like Interlock early in the attack chain, providing actionable insights to prevent data breaches before they occur.
With the ability to safely analyze suspicious files, uncover hidden Indicators of Compromise (IOCs), and monitor network activity, ANY.RUN gives organizations the power to fight back against advanced threats.
Start your free 14-day ANY.RUN trial today and give your team the tools to help them stop ransomware threats before they escalate.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
“}]] The Hacker News
