FBI urges vigilance against Interlock ransomware group behind recent healthcare attacks

The Interlock ransomware is being used to target critical infrastructure and businesses across North America and Europe, the FBI and other federal agencies warned Tuesday. 

Federal officials said the group emerged in late September 2024 and has used uncommon methods of obtaining initial access to devices such as so-called drive-by downloads — when hackers use a compromised website or malicious link to make malware automatically download onto a victim’s computer without them knowing. 

In some cases, Interlock ransomware actors have disguised malicious payloads as fake Google Chrome or Microsoft Edge browser updates.

The hackers have also been seen using ClickFix social engineering techniques for initial access — a popular trick where attackers convince victims to install something under the guise of fixing an issue.  

The group caused alarm this year with dangerous attacks that shut down the dialysis treatment company DaVita and one of the largest healthcare systems in Ohio. The Department of Health and Human Services assisted the FBI with the advisory alongside the Cybersecurity and Infrastructure Security Agency (CISA) and industry group MS-ISAC. 

Despite its high-profile healthcare attacks, the FBI said the group targets victims simply based on opportunity. 

Interlock actors have developed encryptors for both Windows and Linux operating systems. Ransom notes from the group do not include ransom demands or payment instructions, and only offer explanations for how to contact the threat actors. Ransom payments are demanded in Bitcoin.

The advisory notes that analysts have identified potential links between Interlock and Rhysida — another ransomware operation known for its attacks on governments around the world. 

Federal investigators said cybersecurity firms have seen Interlock using information stealers like Lumma Stealer and Berserk Stealer to harvest credentials — allowing them to move throughout an organization and escalate their access.

The FBI is increasingly releasing advisories on specific ransomware strains in an effort to help victims contend with threat actors currently launching attacks. 

Federal law enforcement agencies have been able to use incident response engagement to file legal action and even develop decryptors. On Friday, the FBI touted an announcement from Japanese officials about a decryptor for the Phobos ransomware.