FBI & CISA Alert: Rising Threat of Interlock Ransomware Attacks
▼ Summary
– CISA, FBI, HHS, and MS-ISAC warned of increased Interlock ransomware activity targeting businesses and critical infrastructure in double extortion attacks.
– Interlock, active since September 2024, targets global victims, especially healthcare, and was linked to ClickFix attacks and NodeSnake malware.
– The group breached DaVita and Kettering Health, stealing and leaking 1.5TB of data and targeting large healthcare networks.
– Interlock uses uncommon tactics like drive-by downloads and FileFix social engineering to deploy malware without security warnings.
– Mitigation measures include DNS filtering, network segmentation, MFA, and user training to recognize social engineering.
A joint cybersecurity advisory from the FBI, CISA, and partner agencies warns organizations about escalating Interlock ransomware attacks targeting critical infrastructure and businesses through sophisticated double extortion tactics. The alert provides critical threat intelligence gathered from recent investigations, along with defensive measures to counter this growing cyber threat.
First identified in late 2024, Interlock ransomware has rapidly expanded its operations, focusing heavily on healthcare organizations but also hitting victims across multiple industries. The group has been linked to previous cyberattacks, including ClickFix campaigns where hackers posed as IT support to infiltrate networks. They’ve also deployed NodeSnake, a remote access trojan, in attacks against universities in the U.K.
Recent high-profile breaches attributed to Interlock include DaVita, a Fortune 500 healthcare provider, where 1.5 terabytes of sensitive data were stolen and leaked. The group also compromised Kettering Health, a major healthcare network with over 120 facilities, demonstrating their ability to penetrate large-scale enterprises.
What sets Interlock apart is their unconventional attack methods. Unlike typical ransomware groups, they’ve been observed using drive-by downloads from legitimate but compromised websites to gain initial access. Once inside, they execute double extortion, encrypting systems while threatening to leak stolen data unless ransoms are paid.
The group has also adopted FileFix, a novel social engineering technique that manipulates trusted Windows interfaces like File Explorer and HTML Applications (.HTA) to silently execute malicious scripts. This bypasses security warnings, making detection more difficult.
To defend against Interlock’s evolving tactics, organizations should prioritize DNS filtering, web access firewalls, and employee training to recognize phishing and social engineering attempts. Keeping systems updated, segmenting networks, and enforcing strict identity and access controls, including mandatory multi-factor authentication (MFA), are essential steps to mitigate risk.
The advisory underscores the importance of proactive cybersecurity measures, especially for critical infrastructure and healthcare sectors, which remain prime targets for ransomware gangs. By implementing these defenses, organizations can reduce their exposure to Interlock’s disruptive and costly attacks.
(Source: Bleeping Computer)
