Home
Our Services
Free resources
- Privacy Research
  Free to use data privacy research
  Key Capabilities
  Latest privacy news tracking
  Product versions
  Latest privacy news tracking
  Track the latest news, breaches and fines
  Key features
  Tracks the latest breaches and fines
  View by industry
  View by breach method
  View by privacy topic
  Links to original articles
  Free to use
  
  Learn more »
  Latest Threat Intelligence
  Product versions
  Latest Threat Intelligence
  Track the Common Vulnerability Exposures (CVEs)
  Key features
  Tracks the latest vulnerabilities
  View by company
  View by breach method
  Links to NVD
  Free to use
  
  Learn more »
  Breach modelling and ROI calculator
  Product versions
  Breach modelling and ROI calculator
  Model what a breach would look like for you in your industry and use this to calculate your return on investment
  Key features
  Model your breach
  Assess the severity
  Compare by industry
  Breakdown costs
  Export to your business plan
  Free to use
  
  Learn more »
Privacy news
Company
- About Us
- FAQ
- Contact Us

How Interlock Ransomware Infects Healthcare Organizations

pRansomware attacks have reached an unprecedented scale in the healthcare sector exposing vulnerabilities that put millions at risk Recently UnitedHealth revealed that 190 million Americans had their personal and healthcare data stolen during the Change Healthcare ransomware attack a figure that nearly doubles the previously disclosed total ppThis breach shows just how deeply ransomware can infiltrate critical systems leaving patient trust and care hanging in the balanceppOne of the groups that targets this already fragile sector is the Interlock ransomware group Known for their calculated and sophisticated attacks they focus on hospitals clinics and other medical service providersppThe Interlock ransomware group is a relatively recent but dangerous player in the world of cybercrime known for employing doubleextortion tactics ppThis method involves encrypting a victims data to disrupt operations and threatens to leak sensitive information if ransom demands are not met Their primary motivation is financial gain and their methods are tailored to maximize pressure on their targetsppIn late 2024 Interlock targeted multiple healthcare organizations in the United States exposing sensitive patient information and severely disrupting operations Victims includedppThe Interlock ransomware group begins its attack with a strategic and highly deceptive method known as a Driveby Compromise This technique allows the group to gain initial access to targeted systems by exploiting unsuspecting users often through carefully designed phishing websitesppThe attack starts when the Interlock group either compromises an existing legitimate website or registers a new phishing domain These sites are carefully crafted to appear trustworthy mimicking credible platforms like news portals or software download pages The sites often contain links to download fake updates or tools which when executed infect the users device with malicious softwareppExample ANYRUNs interactive sandbox detected a domain flagged as part of Interlocks activity appleonlineshop The latter was designed to trick users into downloading malware disguised as legitimate software ppThis tactic effectively bypasses the initial layer of user suspicion but with early detection and analysis SOC teams can quickly identify malicious domains block access and respond faster to emerging threats reducing the potential impact on business operationsppView analysis sessionppppEquip your team with the tools to combat cyber threats ppGet a 14day free trial and analyze unlimited threats with ANYRUNppppOnce the Interlock ransomware group breaches initial defenses the Execution phase begins At this stage attackers deploy malicious payloads or execute harmful commands on compromised devices setting the stage for full control over the victims networkppInterlock ransomware often disguises its malicious tools as legitimate software updates to deceive users Victims unknowingly launch fake updaters such as those mimicking Chrome MSTeams or Microsoft Edge installers thinking they are performing routine maintenance Instead these downloads activate Remote Access Tools RATs which grant attackers full access to the infected systemppInside ANYRUNs sandbox session one of the updaters upd8816295exe is clearly identified within the process tree on the righthand side showing its malicious behavior and execution flowppppBy clicking the Malconf button on the right side of the ANYRUN sandbox session we reveal the encrypted URL hidden within the fake updater ppAnalysts receive detailed data in a clear and userfriendly format helping companies improve their threat response workflows reduce analysis time and achieve faster and more effective results when fighting against cyber threatsppppThe next step of the attack is to steal access credentials These credentials grant attackers the ability to move laterally within the network and further exploit the victims infrastructureppThe Interlock ransomware group used a custom Stealer tool to harvest sensitive data including usernames passwords and other authentication credentials According to reports this stolen information was stored in a file named chrgetpdsitxt which served as a collection point before exfiltrationppUsing ANYRUNs TI Lookup tool we uncovered that this Stealer was detected on the platform as early as August 2024ppppDuring the Lateral Movement phase attackers spread across the network to access additional systems and resources The Interlock ransomware group relied on legitimate remote administration tools such as Putty Anydesk and RDP often used by IT teams but repurposed for malicious activitiesppIn this final stage attackers exfiltrate stolen data out of the victims network often using cloud storage services The Interlock ransomware group for instance leveraged Azure cloud storage to transfer data outside the organizationppInside the ANYRUN Sandbox we can see how the data is being sent to attackercontrolled servers ppFor example here logs revealed information being transmitted to IP 21714814219 over port 443 during an Interlock attackppThe healthcare sector is a prime target for ransomware groups like Interlock with attacks that jeopardize sensitive patient data disrupt critical services and put lives at risk Healthcare organizations must stay cautious and prioritize cybersecurity measures to protect their systems and datappEarly detection is the key to minimizing damage Tools like ANYRUN Sandbox allow healthcare teams to identify threats like Interlock early in the attack chain providing actionable insights to prevent data breaches before they occur ppWith the ability to safely analyze suspicious files uncover hidden Indicators of Compromise IOCs and monitor network activity ANYRUN gives organizations the power to fight back against advanced threatsppStart your free 14day ANYRUN trial today and give your team the tools to help them stop ransomware threats before they escalateppKeep your apps safe with ASPMa simple tool that brings code and live data together for easy securityppStop cyberattacks before they startdiscover a simple secure solution to eliminate identity threats in our exclusive webinarppGet the latest news expert insights exclusive resources and strategies from industry leaders all for freep

Read the original article 10 Mar 2025

Key Capabilities

Latest privacy news tracking

Latest Threat Intelligence

Breach modelling and ROI calculator

How Interlock Ransomware Infects Healthcare Organizations