The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a warning on Tuesday regarding a surge in Interlock ransomware attacks aimed at businesses and critical infrastructure. This advisory, which also involved the Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), details recent incidents and provides network defenders with indicators of compromise (IOCs) and suggested mitigation strategies. Recent incidents suggest a concerning increase in the sophistication of these attacks, with some techniques being notably uncommon among ransomware groups.
Interlock, a ransomware operation that appeared in September 2024, has quickly escalated its activities globally, with its primary focus on the healthcare sector. The group is now notorious for its double extortion attacks, in which systems are encrypted after valuable data has been exfiltrated. The advisory indicates that this pressure tactic compels victims to comply with ransom demands to safeguard both their data and its confidentiality. The threat of data leakage amplifies the urgency for targeted organizations.
Recent breaches attributed to the Interlock group include notable incidents involving DaVita, a Fortune 500 kidney care provider, which suffered the theft of 1.5 terabytes of sensitive data, and Kettering Health, a significant healthcare entity with over 120 facilities. These incidents underline the vulnerabilities facing organizations in the current cyber landscape, particularly as attackers leverage sophisticated methods to infiltrate networks.
As part of their tactics, the Interlock group employs a disturbing variety of compromised techniques, including a drive-by download approach from legitimate websites. Security professionals are advised to adopt robust defenses, such as implementing Domain Name System (DNS) filtering, applying web access firewalls, and training employees to recognize social engineering schemes. Keeping systems updated and maintaining comprehensive identity and access management protocols has also been emphasized as critical measures for safeguarding against this evolving threat.