U.S. Agencies Warn of Rising Interlock Ransomware Threats in Healthcare

In a comprehensive alert issued on July 27, 2025, four major U.S. federal agencies expressed growing concerns regarding the Interlock ransomware, which has increasingly targeted healthcare providers and critical infrastructure across North America and Europe. The alert, released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), is part of the ongoing #StopRansomware initiative aimed at combating the rising trend of ransomware attacks.

Interlock ransomware emerged in September 2024 and has since been associated with a series of high-profile attacks against healthcare institutions, including Kettering Health, an Ohio-based healthcare system, and DaVita, a Fortune 500 kidney care company. According to the agencies, the group employs a sophisticated double-extortion model, whereby they not only encrypt victims’ data but also threaten to publish stolen information unless a ransom is paid.

"Interlock's tactics are notable for their rapid evolution and opportunistic nature," stated FBI Cyber Division Assistant Director, Ed C. Silva. The initial attack methods reported include drive-by downloads from compromised legitimate websites, disguising malicious payloads as fake updates for browsers, and using social engineering tactics such as a deceptive method called 'ClickFix.' This method tricks users into executing harmful code under the guise of resolving system errors.

Once infiltrated, the group utilizes various tools, including Interlock Remote Access Trojan (RAT) and NodeSnake RAT, to maintain control of the systems. They also deploy PowerShell scripts to download credential-stealing malware, capturing sensitive data that facilitates lateral movement within networks. Furthermore, Interlock has shown adaptability by deploying malware on diverse operating systems, including Linux, diverging from typical ransomware strategies.

To mitigate the risks associated with Interlock ransomware, the advisory urges organizations to adopt several best practices: implementing DNS filtering to block access to harmful sites, employing web application firewalls, keeping software updated, enforcing multifactor authentication (MFA), and training employees to recognize phishing attempts. Additionally, maintaining secure, offline backups of critical data is vital for recovery in the event of an attack.

Dr. Emily Carter, a cybersecurity expert at the Massachusetts Institute of Technology, emphasizes the significance of proactive measures. "Organizations must prioritize cybersecurity training and infrastructure resilience. The healthcare sector is particularly vulnerable due to the sensitive nature of its data and the critical services it provides."

The Interlock ransomware campaign underscores the evolving landscape of cyber threats that target critical sectors, with healthcare being at the forefront. As organizations continue to grapple with the implications of these attacks, the urgency for enhanced cybersecurity protocols is paramount. The federal agencies involved encourage any organization affected by ransomware or suspicious activity to reach out to local FBI field offices or report incidents to CISA via their Incident Reporting System.

In conclusion, as cybercriminals continue to refine their strategies, the importance of collaboration among government agencies, private sector entities, and academic institutions will be crucial in developing effective defenses against ransomware threats. The ongoing efforts to educate and equip organizations with the necessary tools and knowledge are vital steps in safeguarding critical infrastructure and protecting sensitive data from malicious actors.