Kettering Health, a prominent Ohio-based healthcare network, is grappling with the aftermath of a sophisticated ransomware attack perpetrated by the Interlock gang, which claims to have stolen over 940 gigabytes of sensitive patient data.
The attack, which began on May 20, 2025, disrupted operations across the network's 14 hospitals and more than 120 outpatient facilities, forcing a system-wide shutdown and prompting a complex recovery process.
The stolen data, advertised on Interlock's dark web leak site, includes ID cards, payment information, and financial reports, highlighting the growing threat of ransomware in the healthcare sector.
Interlock's Modus Operandi
Interlock, a financially motivated ransomware group that emerged in late 2024, employs a double-extortion strategy, stealing data before encrypting systems with files marked by the ".interlock" extension.
The group operates independently, distinguishing itself from Ransomware-as-a-Service models, and targeting organizations with weak cybersecurity practices, claiming to seek "accountability" alongside ransoms.
Interlock's arsenal includes custom malware like the NodeSnake remote access Trojan, info stealers such as LummaStealer and BerserkStealer, and sophisticated social engineering tactics like "ClickFix," which can compromise systems with a single click.
The group typically lingers in networks for about 17 days before deploying ransomware, using legitimate tools like rundll32.exe and Azure Storage Explorer for lateral movement and data exfiltration.
ALSO READ | AI Revolutionizes Healthcare: Chatbot Solves Founder's 18-Month Pain Mystery
Massive Data Theft and Industry Impact
Interlock's claim of exfiltrating 941 gigabytes of data from Kettering Health encompasses 732,490 files across 20,418 folders, exposing sensitive patient and financial information. The group's decision to publicize the breach on its "Worldwide Secrets Blog" suggests Kettering Health did not pay the demanded ransom.
This incident follows Interlock's pattern of targeting healthcare organizations, with prior attacks on DaVita in April 2025, resulting in a 1.5-terabyte breach, and other U.S. healthcare providers like Texas Tech University Health Sciences Center, impacting nearly 1.5 million records, and Brockton Neighborhood Health Center, affecting 97,500 individuals.
The healthcare sector's reliance on digital systems and sensitive data makes it a prime target for such attacks, with recovery costs and reputational damage raising serious concerns.
Did You Know?
Ransomware attacks on healthcare organizations have surged by 30% globally since 2023, with the average cost of a healthcare data breach reaching $10.1 million, according to industry reports. This underscores the critical need for robust cybersecurity measures in the sector.
Kettering Health's Recovery Efforts
The ransomware attack triggered immediate action from Kettering Health, with downtime procedures implemented on May 20, 2025, leading to the cancellation of elective procedures.
By May 23, emergency clinical support lines and temporary pharmacy contact numbers were established to maintain critical services.
Radiology equipment was restored by May 25, followed by radiation oncology systems on May 27, allowing patients with active radiotherapy plans to resume treatment.
By June 2, core components of the Epic electronic health record system were back online, enabling clinical staff to access and update patient information.
While phone lines and the MyChart portal remain under restoration, Kettering Health is working to achieve full recovery within the industry-estimated 10-21 day timeline, aiming for the lower end of that scale.
Comments (0)
Please sign in to leave a comment