{"id":104489,"date":"2025-02-13T01:51:16","date_gmt":"2025-02-13T09:51:16","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=104489"},"modified":"2025-02-13T05:49:35","modified_gmt":"2025-02-13T13:49:35","slug":"ransomware-in-healthcare-lessons-learned-from-interlock-attacks","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/","title":{"rendered":"Ransomware in Healthcare: Lessons Learned from Interlock Attacks"},"content":{"rendered":"<h3>Summary<\/h3>\n<ul>\n<li>See the evolution of an activity cluster originally identified as a Remote Access Trojan (RAT) into a ransomware operator<\/li>\n<li>The ransomware group Interlock has shown special attention to healthcare<\/li>\n<li>We highlight the importance of early tracking of threat actors and information sharing<\/li>\n<\/ul>\n<h3>Recommendations<\/h3>\n<ul>\n<li>Maintain backup and recovery options<\/li>\n<li>Perform continuous risk assessment for proactive defense<\/li>\n<li>Ensure that threat detection and threat hunting options cover the entire network<\/li>\n<\/ul>\n<p>In September 2024, Texas Tech University Health Sciences Centers (HSCs) faced a cyberattack that <a href=\"https:\/\/www.hipaajournal.com\/texas-tech-university-health-sciences-center-ransomware-data-breach\/\" target=\"_blank\" rel=\"noopener\">compromised 1.46 Million patient records<\/a>, including names, social security numbers, financial information, health insurance information, as well as diagnosis and treatment information.<\/p>\n<p>The HSCs did not reveal the culprit, but <strong>Interlock ransomware<\/strong> \u2013 a threat group that evolved from a stealthy Remote Access Trojan (RAT) which we <a href=\"\/blog\/sly-malware-found-in-fake-google-chrome-and-ms-teams-installers\/\">first identified as Chaya_002<\/a> \u2013 claimed the attack on their data leak site in October. This same ransomware group would go on to breach <a href=\"https:\/\/www.halcyon.ai\/attacks\/ransomware-attack-hits-legacy-treatment-services-in-new-jersey\" target=\"_blank\" rel=\"noopener\">Legacy Treatment Services<\/a>, exfiltrating 170 GB of data, and two other healthcare organizations.<\/p>\n<p>Since then, Interlock has claimed a total of 14 victims on their site, as shown in the figure below.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-104492\" src=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-Victims-per-Industry-Country_Combined.webp\" alt=\"\" width=\"903\" height=\"321\" \/><\/p>\n<p>The group has shown a clear preference for attacking healthcare organizations \u2014especially in the US where nearly a third of their victims have been in that sector. Here, we discuss three topics from this case that illustrate the importance of timely research into threat actors:<\/p>\n<ul>\n<li>The evolution of Chaya_002 into Interlock ransomware<\/li>\n<li>Why ransomware groups continue to focus on healthcare<\/li>\n<li>Lessons learned and recommendations<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Tracking the Evolution to Ransomware: From Chaya_002 to Interlock<\/h2>\n<p>In September 2024, Forescout Research \u2013 Vedere Labs <a href=\"\/blog\/sly-malware-found-in-fake-google-chrome-and-ms-teams-installers\/\">identified an activity cluster<\/a> by analyzing suspicious JavaScript injections on legitimate websites. We named that cluster Chaya_002 which revealed the use of:<\/p>\n<ul>\n<li>Traffic distribution systems redirecting users through compromised WordPress sites to download an initial stage<\/li>\n<li>JavaScript for initial compromise<\/li>\n<li>Powershell to download executables masquerading as browser updates<\/li>\n<li>Encrypted command and control communications<\/li>\n<li>Scheduled tasks for persistence<\/li>\n<\/ul>\n<p>In that <a href=\"\/blog\/sly-malware-found-in-fake-google-chrome-and-ms-teams-installers\/\">original blog<\/a>, we also mentioned that there could be an evolution of this cluster to deploy ransomware.<br \/>\nThe significance of Chaya_002 became apparent by early November when <a href=\"https:\/\/blog.talosintelligence.com\/emerging-interlock-ransomware\/\" target=\"_blank\" rel=\"noopener\">reports emerged<\/a> of Interlock ransomware which maintained many of Chaya_002\u2019s core TTPs and expanded its capabilities. This was further confirmed by <a href=\"https:\/\/any.run\/cybersecurity-blog\/interlock-ransomware-attack-analysis\/\" target=\"_blank\" rel=\"noopener\">later analysis in January 2025<\/a>.\n<p>Comparing our original Chaya_002 report and the later reports of Interlock ransomware by other companies reveals a clear evolutionary path. The consistent patterns in infrastructure usage, Powershell code structure, network observables and operational methodology strongly suggest a direct developmental relationship between these malware families. <strong>Understanding these relationships and patterns is crucial for threat hunting and defense strategies against future evolutions of this threat actor.<\/strong><\/p>\n<p>Up until credential access, the activity reported for Chaya_002 and Interlock ransomware are the exact same:<\/p>\n<ol>\n<li>For initial access, both showed a consistent pattern in domain names and file names, including initially downloading <code>upd[random_numeric_string].[exe|msix]<\/code>.<\/li>\n<li>Both downloaded a second stage from apple-online[.]shop masquerading as a browser update<\/li>\n<li>Both maintained persistence via a .lnk file pointing to the initial payload<\/li>\n<li>Both collected information from the victim machine such as login data, profiles, cookies and browser history<\/li>\n<\/ol>\n<p>Beyond this initial similarity, the two further reports observed new TTPs:<\/p>\n<ol>\n<li>Credential stealing from a keylogger DLL executed via RunDll32.exe<\/li>\n<li>Pre-kerberoasting attempts using Powershell [Note: Although we did not observe Kerberoasting in Chaya_002, it was mentioned in the Canadian advisory CF24-005 we cited in the original report].<\/li>\n<li>Lateral Movement using AnyDesk, putty, and RDP<\/li>\n<li>Data exfiltration using AzCopy to remote Azure storage<\/li>\n<li>Ransomware deployment using an encryptor that enumerates logical disk drives to encrypt files on victim machines<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<h2>The Bigger Picture of Ransomware in Healthcare<\/h2>\n<p>The evolution of Chaya_002 into Interlock ransomware underscores the evolution of covert RATs into double-extortion ransomware operators.<\/p>\n<p>Healthcare breaches caused by ransomware operators can impact both finances and patient lives, bearing higher operational risks compared to other sectors, such as extended downtime and patient care disruption.<\/p>\n<p>We have been analyzing significant ransomware incidents in healthcare for years now, including the UK\u2019s <a href=\"\/blog\/ransomware-in-healthcare-the-nhs-example-and-what-the-future-holds\/\">NHS in 2022<\/a>, <a href=\"\/blog\/rhysida-ransomware-detecting-a-significant-threat-to-healthcare-and-other-sectors\/\">Rhysida ransomware in 2023<\/a> and an overview of ransomware risk in healthcare in 2024. In all this time, we have not noticed any decrease in activity targeting the sector. On the contrary, <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/security-insider\/emerging-threats\/us-healthcare-at-risk-strengthening-resiliency-against-ransomware-attacks\" target=\"_blank\" rel=\"noopener\">a recent report from Microsoft<\/a> reveals that:<\/p>\n<ul>\n<li>Healthcare organizations that admit to paying ransom demands have paid on average $4.4 million<\/li>\n<li>Ransomware attacks cost healthcare organizations $900,000 per day on downtime alone.<\/li>\n<li>These attacks affect both the targeted organizations and other neighboring hospitals which have to care for the patients that cannot be treated in targeted organizations. Some of those \u2018ripple effects\u2019 include an increase of 35% on emergency arrivals and 15% in overall patient volume.<\/li>\n<\/ul>\n<p>Part of the reason why healthcare has become a prominent target sector for ransomware groups is that they have a high pressure to pay the ransom demands due to a combination of this operational impact and potential regulatory penalties.<\/p>\n<p>Another reason is that they have complex networks which are hard to defend. On an average healthcare network, we see thousands of medical devices from infusion pumps to MRI machines which creates a large attack surface. In our <a href=\"\/blog\/research-isolating-the-persistent-risk-of-iomt-devices\/\">recent report on the risks of IoMT devices<\/a>, we revealed that around 50% of devices in healthcare networks are unmanaged bringing risks, such as lack of visibility and limited possibilities for threat detection.<\/p>\n<figure class=\"video-player\"><div data-video-url=\"https:\/\/fast.wistia.com\/embed\/gocoj0rfq8\"><\/div>\n<\/figure>\n\n<p>&nbsp;<\/p>\n<div style=\"margin: 10px 0 10px 0; border-top: 1px solid #CCCCCC; border-bottom: 1px solid #CCCCCC; padding: 10px 0 10px 0;\">\n<h4>Go deeper: Get a better understanding of the insecure state of hospitals and clinics from the perspective of asset risk. Where is it? What can you do\u00a0about\u00a0it?<\/h4>\n<p class=\"u-display-flex u-flex-wrap u-gap\"><a href=\"\/webinars\/persistent-risk-of-connected-medical-devices-ams\/\"  title=\"watch webinar\" class=\"c-btn c-btn--lblue has-icon icon-arrow-right icon-position-right has-icon-animation icon-animation-fade-in\"><span class=\"cta-button-text\">watch webinar<\/span><\/a>\n<\/div>\n<p>&nbsp;<\/p>\n<h2>Lesson Learned and Recommendations<\/h2>\n<p>Chaya_002 was the second cluster we started tracking last year, after the campaign we named <a href=\"\/blog\/connectfun-new-exploit-campaign-in-the-wild-targets-media-company\/\">Connect:fun<\/a> from Chaya_001 and the OT\/ICS malware we named <a href=\"\/blog\/ics-threat-analysis-new-experimental-malware-can-kill-engineering-processes\/\">Chaya_003<\/a>.<\/p>\n<p>Chaya_002 is also the first cluster that we see evolving so fast into a more disruptive type of activity. This reinforces our motivation for tracking threat actors and sharing this information publicly.<\/p>\n<p>The evolution from Chaya_002 to Interlock ransomware illustrates several key lessons that also lead to recommendations for healthcare organizations:<\/p>\n<h3>1. Maintain backup and recovery options<\/h3>\n<p>Since data encryption on workstations and medical systems can lead to patient care disruption, regular backups and recovery protocols are essential to reduce downtime. But <strong>backups and recovery are unfortunately not enough<\/strong> to avoid the consequences of ransomware.<\/p>\n<h3>2. Contain ransomware infections quickly<\/h3>\n<p>Ransomware groups increasingly favor encryption with data theft (double extortion) because it pressures organizations to pay in order to protect patient privacy and avoid regulatory fines. This shows that organizations need to ensure they can prevent, detect and contain ransomware infections on time to avoid data exfiltration.<\/p>\n<h3>3. Perform continuous risk assessment for proactive defense<\/h3>\n<p>The first step to ensure proactive defense against ransomware threats is to have continuous risk assessment for all the assets in the network that could be leveraged for an attack. This includes managed and unmanaged devices. Risk assessment depends on having proper visibility into these assets, including their presence on the network, exposure levels and potential impacts. This right visibility and risk assessment allows to prioritize proactive corrective actions, such as strengthening segmentation or authentication and access controls to prevent unauthorized lateral movement within networks.<\/p>\n<h3>4. Use threat detection and threat hunting<\/h3>\n<p>Once you have recovery options and the right risk assessment of your network, it\u2019s time to ensure that threat detection and threat hunting encompass all those risky assets identified in the first step. Threat detection from network and endpoint signals is crucial to capture signs of intrusion before sensitive data can be exfiltrated. Similarly, threat hunting based on early indicators and analysis of anomalous patterns, such as suspicious Powershell commands, can find threats before they disrupt your environment. Using the example in this blog, hunting for Chaya_002 indicators could prevent future Interlock infections.<\/p>\n<p>For more help and recommendations, read \u201c<a href=\"\/blog\/ransomware-mitigation-for-hospitals\/\"><strong>Ransomware Mitigation: 3 Ways to Stabilize Your Hospital Network<\/strong><\/a>\u201d.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary See the evolution of an activity cluster originally identified as a Remote Access Trojan (RAT) into a ransomware operator The ransomware group Interlock has shown special attention to healthcare We highlight the importance of early tracking of threat actors and information sharing Recommendations Maintain backup and recovery options Perform continuous risk assessment for proactive [&hellip;]<\/p>\n","protected":false},"author":181,"featured_media":104554,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"ep_exclude_from_search":false,"footnotes":"","_links_to":"","_links_to_target":""},"categories":[540],"tags":[],"coauthors":[748],"class_list":["post-104489","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research-and-cyber-alerts"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Ransomware in Healthcare: Lessons Learned from Interlock Attacks<\/title>\n<meta name=\"description\" content=\"Vedere Labs threat hunters analyze the attack methods of ransomware in healthcare by the Interlock group and provide recommendations for defense.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransomware in Healthcare: Lessons Learned from Interlock Attacks\" \/>\n<meta property=\"og:description\" content=\"Vedere Labs threat hunters analyze the attack methods of ransomware in healthcare by the Interlock group and provide recommendations for defense.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"Forescout\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ForescoutTechnologies\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-13T09:51:16+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-02-13T13:49:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1201\" \/>\n\t<meta property=\"og:image:height\" content=\"629\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Sai Molige\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Forescout\" \/>\n<meta name=\"twitter:site\" content=\"@Forescout\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/\"},\"author\":{\"name\":\"Sai Molige\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9\"},\"headline\":\"Ransomware in Healthcare: Lessons Learned from Interlock Attacks\",\"datePublished\":\"2025-02-13T09:51:16+00:00\",\"dateModified\":\"2025-02-13T13:49:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/\"},\"wordCount\":1321,\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp\",\"articleSection\":[\"Research &amp; Cyber Alerts\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/\",\"url\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/\",\"name\":\"Ransomware in Healthcare: Lessons Learned from Interlock Attacks\",\"isPartOf\":{\"@id\":\"https:\/\/www.forescout.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp\",\"datePublished\":\"2025-02-13T09:51:16+00:00\",\"dateModified\":\"2025-02-13T13:49:35+00:00\",\"description\":\"Vedere Labs threat hunters analyze the attack methods of ransomware in healthcare by the Interlock group and provide recommendations for defense.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#primaryimage\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp\",\"width\":1201,\"height\":629},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.forescout.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Ransomware in Healthcare: Lessons Learned from Interlock Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.forescout.com\/#website\",\"url\":\"https:\/\/www.forescout.com\/\",\"name\":\"Forescout\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.forescout.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.forescout.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.forescout.com\/#organization\",\"name\":\"Forescout Technologies, Inc.\",\"url\":\"https:\/\/www.forescout.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"contentUrl\":\"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg\",\"width\":1,\"height\":1,\"caption\":\"Forescout Technologies, Inc.\"},\"image\":{\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/ForescoutTechnologies\",\"https:\/\/x.com\/Forescout\",\"https:\/\/www.instagram.com\/forescouttechnologies\/\",\"https:\/\/www.linkedin.com\/company\/forescout-technologies\",\"https:\/\/www.youtube.com\/user\/forescout1\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9\",\"name\":\"Sai Molige\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.forescout.com\/#\/schema\/person\/image\/969ddeee0c69c8cd3d20666775276a76\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g\",\"caption\":\"Sai Molige\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransomware in Healthcare: Lessons Learned from Interlock Attacks","description":"Vedere Labs threat hunters analyze the attack methods of ransomware in healthcare by the Interlock group and provide recommendations for defense.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Ransomware in Healthcare: Lessons Learned from Interlock Attacks","og_description":"Vedere Labs threat hunters analyze the attack methods of ransomware in healthcare by the Interlock group and provide recommendations for defense.","og_url":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/","og_site_name":"Forescout","article_publisher":"https:\/\/www.facebook.com\/ForescoutTechnologies","article_published_time":"2025-02-13T09:51:16+00:00","article_modified_time":"2025-02-13T13:49:35+00:00","og_image":[{"width":1201,"height":629,"url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp","type":"image\/webp"}],"author":"Sai Molige","twitter_card":"summary_large_image","twitter_creator":"@Forescout","twitter_site":"@Forescout","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#article","isPartOf":{"@id":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/"},"author":{"name":"Sai Molige","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9"},"headline":"Ransomware in Healthcare: Lessons Learned from Interlock Attacks","datePublished":"2025-02-13T09:51:16+00:00","dateModified":"2025-02-13T13:49:35+00:00","mainEntityOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/"},"wordCount":1321,"publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp","articleSection":["Research &amp; Cyber Alerts"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/","url":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/","name":"Ransomware in Healthcare: Lessons Learned from Interlock Attacks","isPartOf":{"@id":"https:\/\/www.forescout.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp","datePublished":"2025-02-13T09:51:16+00:00","dateModified":"2025-02-13T13:49:35+00:00","description":"Vedere Labs threat hunters analyze the attack methods of ransomware in healthcare by the Interlock group and provide recommendations for defense.","breadcrumb":{"@id":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#primaryimage","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp","width":1201,"height":629},{"@type":"BreadcrumbList","@id":"https:\/\/www.forescout.com\/blog\/ransomware-in-healthcare-lessons-learned-from-interlock-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.forescout.com\/"},{"@type":"ListItem","position":2,"name":"Ransomware in Healthcare: Lessons Learned from Interlock Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.forescout.com\/#website","url":"https:\/\/www.forescout.com\/","name":"Forescout","description":"","publisher":{"@id":"https:\/\/www.forescout.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.forescout.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.forescout.com\/#organization","name":"Forescout Technologies, Inc.","url":"https:\/\/www.forescout.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","contentUrl":"https:\/\/www.forescout.com\/wp-content\/uploads\/2019\/01\/forescout-logo.svg","width":1,"height":1,"caption":"Forescout Technologies, Inc."},"image":{"@id":"https:\/\/www.forescout.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/ForescoutTechnologies","https:\/\/x.com\/Forescout","https:\/\/www.instagram.com\/forescouttechnologies\/","https:\/\/www.linkedin.com\/company\/forescout-technologies","https:\/\/www.youtube.com\/user\/forescout1"]},{"@type":"Person","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/6f75072e0c8de02ffad63cd244f136d9","name":"Sai Molige","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.forescout.com\/#\/schema\/person\/image\/969ddeee0c69c8cd3d20666775276a76","url":"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fbe09c874db82828feb0fc6515364ce80d45b0999f559803c83c08ac01ce9097?s=96&d=mm&r=g","caption":"Sai Molige"}}]}},"featured_media_url":"https:\/\/www.forescout.com\/wp-content\/uploads\/2025\/02\/VL-blog-Chaya-Interlock-feature.webp","is_file":false,"excerpt_manually_set":false,"_links":{"self":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/104489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/users\/181"}],"replies":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/comments?post=104489"}],"version-history":[{"count":0,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/posts\/104489\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media\/104554"}],"wp:attachment":[{"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/media?parent=104489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/categories?post=104489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/tags?post=104489"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.forescout.com\/wp-json\/wp\/v2\/coauthors?post=104489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}