Ransomware problems in the healthcare industry have spread to a level unheard of, exposing risks that put millions of people at risk. 190 million Americans were just the target of the Change Healthcare malware attack, which nearly doubled the amount previously reported, according to United Health.
This breach demonstrates how seriously ransomware can stifle calm trust and care, putting the burden on the system.
The Interlock malware group is one of the organizations that targets this now delicate business. Known for their determined and advanced attacks, they focus on hospitals, clinics, and additional health service providers.
Interlock Ransomware Group: An Active Threat to Healthcare
The Interlock ransomware group, a comparatively recent but risky player known for using double-extortion tactics, is a dangerous but comparatively recent player in cybercrime.
This technique involves encrypting a murderer’s data to obstruct operations and threatening to drip sensitive information if payment demands are not met. Their main desire is financial gain, and their strategies are specifically designed to put maximum pressure on their goals.
Significant features
- Style: The team uses advanced techniques like phishing, false software updates, and malicious websites to get initial exposure.
- Persistence: The damage they can produce is amplified by their ability to remain unchecked for a long period.
- Rapid deployment: After inside a system, they immediately move horizontally, stealing sensitive data and preparing systems for cryptography.
- Tailored ransom demands: The group properly determines the value of the stolen data in order to set the good ransom payments for the victims.
New Interlock Ransomware Group goals
In the late 2024, Interlock targeted a number of medical organizations in the United States, exposing delicate patient data and greatly repressuring operations. Victims included:
- The assault was unidentified for nearly two months after Brockton Neighborhood Health Center was breached in October 2024.
- Legacy Treatment Services: Detected in soon October 2024.
- Drug and Alcohol Treatment Service: Compromised files uncovered in the same time.
Ransomware Group Attack Chain Interlock
A Drive-by Compromise, a proper and egregiously false tactic, is the first step in the Interlock malware group’s assault. By exploiting unsuspecting users, frequently through expertly designed phishing websites, the group can use this technique to get first access to qualified systems.
Original Attack of the Ransomware
The strike begins when the Interlock group either registers a fresh phishing domain or compromises an already legitimate website. These websites have been carefully created to appear reputable, emulating trustworthy platforms like news portals and software download pages. The sites typically contain references to import false updates or tools, which, when executed, infiltrate the person’s system with malicious program.
Example: ANY. RUN’s engaging platform detected a area flagged as part of Interlock’s exercise, apple-online. buy. The latter was intended to entice users to download malware that appeared to be genuine software.
This strategy essentially bypasses the first layer of user suspicion, but with early detection and analysis, Device teams can quickly identify harmful domains, block access, and respond faster to emerging threats, reducing the potential impact on business operations.
apple-online. shop flagged as part of Interlock’s activity inside ANY. RUN sandbox |
Equip your team with the tools necessary to defend against cyberattacks.
of ANY and get an unlimited threat analysis. RUN.
Execution: How Interlock Gains Control
The Execution phase begins when the Interlock ransomware group breaches its initial defenses. Attackers are currently able to take complete control over the victim’s network by deploying malicious payloads or writing harmful commands to compromised devices.
Interlock ransomware frequently uses fake software updates to deceive users by hiding its malicious components. Victims unknowingly launch fake updaters, such as those mimicking Chrome, MSTeams, or Microsoft Edge installers, thinking they are performing routine maintenance. Instead, these downloads activate Remote Access Tools (RATs ), which grant attackers full access to the infected system.
Inside ANY. RUN’s sandbox session, one of the updaters, upd_8816295. On the right-hand side of the process tree, an executable is clearly visible, indicating its malicious behavior and execution flow.
Fake updater was analyzed inside ANY. RUN sandbox |
By clicking the ANY button on the right side of the Malconf button. RUN sandbox session, we reveal the encrypted URL hidden within the fake updater.
Companies can improve their threat response workflows, shorten the analysis process, and get faster, more effective results when fighting against cyber threats by providing detailed data in a clear and user-friendly format.
ANY encrypted malicious URL. RUN sandbox |
Compromising Sensitive Access
The next step of the attack is to steal access credentials. These credentials enable attackers to move laterally within the network and further evade the victim’s infrastructure.
The Interlock ransomware group used a custom Stealer tool to harvest sensitive data, including usernames, passwords, and other authentication credentials. According to reports, this stolen information was stored in a file named” chrgetpdsi. txt”, which served as a collection point before exfiltration.
Using ANY. We discovered that this Stealer was discovered on the platform as early as August 2024 using RUN’s TI Lookup tool.
ANY found an Interlock Stealer. RUN |
Lateral Movement: Expanding the Foothold
Assailants spread throughout the network to gain access to additional systems and resources during the Lateral Movement phase. The Interlock ransomware group relied on legitimate remote administration tools, which were frequently used by IT teams but later converted into shady uses.
Putty found inside ANY. RUN |
Data Exfiltration: Extracting Stolen Information
In this final stage, attackers exfiltrate stolen data out of the victim’s network, often using cloud storage services. The Interlock ransomware group, for instance, leveraged Azure cloud storage to transfer data outside the organization.
Inside the ANY. RUN Sandbox we can see how the data is being sent to attacker-controlled servers.
For example, here logs revealed information being transmitted to IP 217 [. ] 148.142.19 over port 443 during an Interlock attack.
Data sent by the RAT to attacker-controlled servers revealed by ANY. RUN |
Proactive Protection Against Ransomware in Healthcare
Ransomware groups like Interlock have made the healthcare industry a prime target for attacks that compromise sensitive patient data, disrupt essential services, and put lives in danger. Healthcare organizations must continue to be cautious and prioritize cybersecurity measures to safeguard their data and systems.
The key to minimizing damage is early detection. Tools like ANY. RUN Sandboxes help healthcare teams identify threats like Interlock early in the attack chain, providing actionable insights to stop data breaches before they take place.
With the ability to safely analyze suspicious files, uncover hidden Indicators of Compromise ( IOCs ), and monitor network activity, ANY. Organizations are empowered to defend themselves against advanced threats through RUN.
Start your free 14-day ANY. Run a trial today to give your team the tools they need to stop ransomware threats before they become more severe.
Found this article interesting? One of our valued partners contributed to this article. To read more exclusive content we post, follow us on and Twitter.