CyberSecurity news
FlagThis - #interlock
|
Pierluigi Paganini@Security Affairs
//
The Interlock ransomware group has claimed responsibility for a cyberattack on DaVita, a major kidney dialysis firm with over 2,600 U.S. dialysis centers and 76,000 employees across 12 countries. DaVita disclosed to the U.S. Securities and Exchange Commission (SEC) that they suffered a ransomware attack on April 12th affecting some operations. The company is currently investigating the impact of the incident which is the latest in a surge of ransomware attacks hitting US healthcare organizations.
Earlier today, the Interlock ransomware gang claimed responsibility for the attack by adding DaVita to its list of victims. The group has started leaking data allegedly stolen from the organization, claiming to have exfiltrated over 1.5 TB of data. The healthcare sector is increasingly under siege from cybercriminals, with ransomware attacks posing a significant threat to operational integrity and patient safety. This incident underscores the urgency for healthcare organizations to bolster their cybersecurity defenses to effectively counter these evolving threats. Ransomware attacks in the healthcare sector can have severe implications for patient care and safety. The DaVita attack disrupted internal operations and encrypted certain on-premises systems, affecting the delivery of essential medical services. Though patient care at DaVita centers and patients' homes continued, the incident highlights the potential for treatment delays and compromised patient safety. Following the attack, DaVita disclosed the incident to the U.S. Securities and Exchange Commission (SEC), indicating the regulatory scrutiny that healthcare organizations face in the aftermath of cyberattacks.
Share:
References :
Classification:
@The DefendOps Diaries
//
The Interlock ransomware gang is actively employing ClickFix attacks to infiltrate corporate networks and deploy file-encrypting malware. This social engineering tactic tricks users into executing malicious PowerShell commands, often under the guise of fixing an error or verifying their identity. By impersonating legitimate IT tools, Interlock bypasses traditional security measures that rely on automated detection, as the malicious code is executed manually by the victim. This represents a significant shift in the cyber threat landscape, highlighting the importance of understanding and defending against these evolving tactics.
ClickFix attacks involve manipulating users through deceptive prompts, such as fake error messages, CAPTCHA verifications, or system update requests. Victims are tricked into copying and pasting harmful commands into their systems, leading to the silent installation of malware. Interlock has been observed using fake browser and VPN client updates to deliver malware, and even uses compromised websites to redirect users to fake popup windows. These windows ask the user to paste scripts into a PowerShell terminal, initiating the malware infection process. While the infrastructure supporting Interlock's ClickFix campaigns appears dormant since February 2025, the group's use of this technique signals ongoing innovation in their delivery mechanisms. This, combined with their consistent use of credential-stealing malware like LummaStealer and BerserkStealer, and a proprietary Remote Access Trojan (RAT), demonstrates Interlock's sophisticated approach to breaching networks. Organizations must enhance their security awareness training and implement measures to detect and prevent users from falling victim to ClickFix and other social engineering tactics.
Share:
References :
Classification:
@gbhackers.com
//
The Interlock ransomware group has escalated its operations across North America and Europe, employing sophisticated techniques to evade detection. Cybersecurity firms such as Sekoia Threat Detection & Research (TDR) are closely monitoring Interlock's activities, revealing their evolving tactics and tools. Unlike typical Ransomware-as-a-Service (RaaS) operations, Interlock operates independently, focusing on targeted attacks known as Big Game Hunting and double extortion campaigns. Their tactics include compromising legitimate websites to host deceptive browser update pages, tricking users into downloading malicious PyInstaller files that appear as legitimate Google Chrome or Microsoft Edge installers.
These fake installers launch PowerShell-based backdoors, which continuously execute HTTP requests to communicate with command-and-control (C2) servers. This PowerShell script collects system information and offers functionality for executing arbitrary commands and establishing persistence. Interlock uses a continuous communication loop with the C2 server to maintain persistence. The C2 server can then issue commands to terminate the backdoor or deploy additional malware, such as keyloggers or credential stealers like LummaStealer and BerserkStealer. These actions bypass automated defenses by tricking victims into manually executing malicious commands. In early 2025, Interlock began experimenting with ClickFix, a social engineering technique that prompts users to execute malicious PowerShell commands through spoofed CAPTCHAs or browser alerts, supposedly to "fix" an issue. Interlock also uses IP address clustering to maintain infrastructure resilience, often utilizing IPs from BitLaunch, Hetzner Online GmbH, and other autonomous systems. The group commonly uses RDP and stolen credentials for lateral movement within compromised networks, often targeting domain controllers to gain widespread control. Cybersecurity researchers actively adapt defenses against Interlock's techniques.
Share:
References :
Classification:
|