CyberSecurity news

FlagThis - #interlock

@training.invokere.com //

New Interlock RAT Variant Deployed With FileFix Technique - A new PHP variant of the Interlock RAT is being distributed through compromised websites and Cloudflare tunnels using the KongTuke FileFix method, enabling remote control and lateral movement.
Researchers have uncovered a new and sophisticated variant of the Interlock RAT, a remote access trojan associated with the Interlock ransomware group. This latest iteration is written in PHP, marking a departure from previously observed JavaScript-based versions. The malware is being distributed through a widespread campaign that leverages compromised websites and Cloudflare tunnels. The attack chain begins with a single-line script injected into website HTML, often unbeknownst to the website owners. This script employs IP filtering to serve the payload, which then manipulates the user into clicking a captcha for "verification," ultimately leading to the execution of a PowerShell script that deploys the Interlock RAT.

The delivery mechanism for this new PHP variant utilizes the KongTuke FileFix technique. Researchers have noted that this updated method has been observed deploying the PHP version of the Interlock RAT, and in some instances, this has subsequently led to the deployment of the Node.js variant of the same RAT. The capabilities of this Interlock RAT variant include remote control of compromised systems, thorough system reconnaissance, and the ability to perform lateral movement within a network. This demonstrates an evolving level of sophistication in the threat actor's tactics.

The DFIR Report, in collaboration with Proofpoint, identified the malware and its distribution methods. The observed execution involves a PowerShell command that deletes a scheduled task named "Updater" before downloading and executing a script from a specific URL. This script, in turn, abuses the `php.exe` executable from an uncommon location to further download and execute the RAT. Security professionals are advised to be aware of PowerShell spawning `php.exe` from unusual directories as a potential indicator of compromise. Additionally, the RAT's reconnaissance activities, such as running `systeminfo`, `tasklist`, `whoami`, or `nltest`, provide further opportunities for detection.

Recommended read:
References :
Pauline Dornig@it-daily.net //

Ransomware Attack on Kettering Health - Interlock ransomware group claimed responsibility for the cyberattack on Kettering Health, disrupting services and posting stolen patient data online.
The ransomware group Interlock has claimed responsibility for the recent cyberattack on Kettering Health, a US healthcare organization comprised of hospitals, clinics, and medical centers in Ohio. The attack, which initially disrupted the healthcare system on May 20th, forced the shutdown of all computer systems and has left Kettering Health struggling to fully recover over two weeks later. CNN first reported on Interlock’s involvement in the breach, but at the time, the group had not publicly taken credit, leading to speculation that ransom negotiations might be underway. However, Interlock has now come forward, potentially indicating that negotiations with Kettering Health have been unsuccessful.

Interlock announced its involvement by posting alleged stolen data on its dark web site, claiming to have exfiltrated over 940 gigabytes of data from Kettering Health’s internal network. A preliminary review of the posted files indicates that the stolen data includes sensitive private health information, such as patient names, patient numbers, and detailed clinical summaries. These summaries contain sensitive information including mental status assessments, medication lists, health concerns, and other specific details about patients' medical conditions. The stolen data also encompasses employee information and the contents of shared drives, raising concerns about further potential privacy breaches.

The cyberattack has severely impacted Kettering Health's operations. Since the initial breach, numerous medical procedures have been canceled or postponed, forcing healthcare professionals to revert to paper-based documentation. This digital standstill has significantly affected clinical care for approximately 1.5 million patients annually. While Kettering Health has reported progress in restoring its systems, including bringing the electronic health record (EHR) system "Epic" back online with the help of around 200 employees, the full extent of the damage and the long-term consequences of the data breach are still unfolding.

Recommended read:
References :
  • infosec.exchange: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
  • techcrunch.com: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
  • www.it-daily.net: Report on a ransomware attack on Kettering Health.
  • techcrunch.com: Health giant Kettering still facing disruption weeks after ransomware attack
  • The Register - Security: Ransomware scum leak patient data after disrupting chemo treatments at Kettering
  • BleepingComputer: Kettering Health confirms Interlock ransomware behind cyberattack
  • BleepingComputer: Details about the leaked data.
Mandvi@Cyber Security News //

Interlock Ransomware Deploys New NodeSnake RAT - The Interlock ransomware group is deploying a new remote access trojan (RAT) called NodeSnake to maintain persistent access to compromised corporate networks, targeting educational institutions and local government entities in the UK.
The Interlock ransomware group is actively deploying a new, sophisticated remote access trojan (RAT) known as NodeSnake in attacks targeting corporate networks. Security researchers have observed this campaign, revealing that Interlock is leveraging NodeSnake as a key component of its attack toolkit to maintain persistent access and enhance its post-exploitation capabilities. NodeSnake, written in Golang, allows the attackers to bypass common detection mechanisms and exfiltrate sensitive data, ensuring continued access even if ransomware binaries are detected and removed.

Two UK-based universities and local government entities have recently fallen victim to NodeSnake within the past few months. Analysis by cybersecurity firm Quorum Cyber has uncovered two new variants of the RAT, strongly attributing them to the Interlock ransomware group. The timing and shared code elements between the incidents suggest a coordinated campaign by the same threat actor, signalling a shift in targets for the Interlock ransomware group which is believed to be behind these attacks.

NodeSnake is a type of Remote Access Trojan (RAT). RATs are dangerous because they allow attackers to take control of infected computers from afar. This means attackers can access files, watch what users are doing, change computer settings, and even steal or delete important information remotely while the RATs stay hidden in the system and even introduce other harmful programs. Furthermore, the two NodeSnake variants are from the same family, with the newer one showing significant improvements. This RAT expands the group’s capabilities for reconnaissance, lateral movement, and data exfiltration, facilitating ransomware deployment.

Recommended read:
References :
  • Cyber Security News: Interlock Ransomware Deploys NodeSnake RAT to Maintain Access in Corporate Networks Security researchers have observed a sophisticated cyber campaign in which the Interlock ransomware group is leveraging the NodeSnake remote access trojan (RAT) as part of its attack toolkit against corporate networks.
  • gbhackers.com: Interlock Ransomware Uses NodeSnake RAT for Persistent Access to Corporate Networks In a two UK-based universities have fallen victim to a sophisticated Remote Access Trojan (RAT) dubbed NodeSnake within the past two months.
  • hackread.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks Quorum Cyber identifies two new NodeSnake RAT variants, strongly attributed to Interlock ransomware, impacting UK higher education and local government.
  • BleepingComputer: Interlock ransomware gang deploys new NodeSnake RAT on universities
  • ciso2ciso.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks – Source:hackread.com Source: hackread.com – Author: Deeba Ahmed.
  • cyberpress.org: Interlock Ransomware Deploys NodeSnake RAT to Maintain Access in Corporate Networks Security researchers have observed a sophisticated cyber campaign in which the Interlock ransomware group is leveraging the NodeSnake remote access trojan (RAT) as part of its attack toolkit against corporate networks.
  • ciso2ciso.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks – Source:hackread.com
  • bsky.app: We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks. Learn more about what you need to know about Interlock in my article on the Tripwire blog. #cybersecurity #ransomware #clickfix
  • Graham Cluley: "We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks.
@ketteringhealth.org //

Kettering Health Crippled by Ransomware Attack - Kettering Health experienced a ransomware attack causing a system-wide technology outage, impacting operations and leading to the cancellation of elective medical procedures.
Kettering Health, a healthcare network operating 14 medical centers and over 120 outpatient facilities in western Ohio, has been hit by a ransomware attack causing a system-wide technology outage. The cyberattack, which occurred on Tuesday, May 20, 2025, has forced the cancellation of elective inpatient and outpatient procedures and has disrupted access to critical patient care systems, including phone lines, the call center, and the MyChart patient portal. Emergency services remain operational, but emergency crews are being diverted to other facilities due to the disruption. Kettering Health has confirmed they are responding to the cybersecurity incident involving unauthorized access to its network and has taken steps to contain and mitigate the breach, while actively investigating the situation.

The ransomware attack is suspected to involve the Interlock ransomware gang, which emerged last fall and has targeted various sectors, including tech, manufacturing firms, and government organizations. A ransom note, viewed by CNN, claimed the attackers had secured Kettering Health's most vital files and threatened to leak stolen data unless the health network began negotiating an extortion fee. In response to the disruption, Kettering Health has canceled elective procedures and is rescheduling them for a later date. Additionally, the organization is cautioning patients about scam calls from individuals posing as Kettering Health team members requesting credit card payments and has halted normal billing calls as a precaution.

The incident highlights the increasing cybersecurity challenges facing healthcare systems. According to cybersecurity experts, healthcare networks often operate with outdated technology and lack comprehensive cybersecurity training for staff, making them vulnerable to attacks. There is a call to action to invest in healthcare cybersecurity, with recommendations for the government and its partners to address understaffed healthcare cyber programs by tweaking federal healthcare funding programs to cover critical cybersecurity expenditures, augmenting healthcare cybersecurity workforces and incentivizing cyber maturity.

Recommended read:
References :
  • industrialcyber.co: Ransomware suspected in Kettering Health cyberattack disrupting patient services, canceling elective procedures
  • BleepingComputer: Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage.
  • www.bleepingcomputer.com: Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. [...]
  • DataBreaches.Net: Elective inpatient and outpatient procedures were canceled.
  • thecyberexpress.com: Kettering Health Hit by Cyberattack: Network Outage and Scam Calls Reported
  • The DefendOps Diaries: Strengthening Cybersecurity in Healthcare: Lessons from the Kettering Health Ransomware Attack
  • BleepingComputer: Kettering Health hit by system-wide outage after ransomware attack
  • The Dysruption Hub: Reports Ransomware Attack Cripples Kettering Health Systems Across Ohio
  • : Kettering Health faces a ransomware attack and confirms a scam targeting its patients
  • www.scworld.com: Apparent ransomware attack leads to systemwide outage for Kettering Health
  • Industrial Cyber: Reports Ransomware suspected in Kettering Health cyberattack disrupting patient services, canceling elective procedures
  • www.itpro.com: The incident at Kettering Health disrupted procedures for patients
  • www.cybersecuritydive.com: Ohio’s Kettering Health hit by cyberattack

Posts

Blogs

Research Tools