Ransomware in Healthcare: Lessons Learned from Interlock Attacks

Summary

• See the evolution of an activity cluster originally identified as a Remote Access Trojan (RAT) into a ransomware operator
• The ransomware group Interlock has shown special attention to healthcare
• We highlight the importance of early tracking of threat actors and information sharing

Recommendations

• Maintain backup and recovery options
• Perform continuous risk assessment for proactive defense
• Ensure that threat detection and threat hunting options cover the entire network

In September 2024, Texas Tech University Health Sciences Centers (HSCs) faced a cyberattack that compromised 1.46 Million patient records, including names, social security numbers, financial information, health insurance information, as well as diagnosis and treatment information.

The HSCs did not reveal the culprit, but Interlock ransomware – a threat group that evolved from a stealthy Remote Access Trojan (RAT) which we first identified as Chaya_002 – claimed the attack on their data leak site in October. This same ransomware group would go on to breach Legacy Treatment Services, exfiltrating 170 GB of data, and two other healthcare organizations.

Since then, Interlock has claimed a total of 14 victims on their site, as shown in the figure below.

The group has shown a clear preference for attacking healthcare organizations —especially in the US where nearly a third of their victims have been in that sector. Here, we discuss three topics from this case that illustrate the importance of timely research into threat actors:

• The evolution of Chaya_002 into Interlock ransomware
• Why ransomware groups continue to focus on healthcare
• Lessons learned and recommendations

 

Tracking the Evolution to Ransomware: From Chaya_002 to Interlock

In September 2024, Forescout Research – Vedere Labs identified an activity cluster by analyzing suspicious JavaScript injections on legitimate websites. We named that cluster Chaya_002 which revealed the use of:

• Traffic distribution systems redirecting users through compromised WordPress sites to download an initial stage
• JavaScript for initial compromise
• Powershell to download executables masquerading as browser updates
• Encrypted command and control communications
• Scheduled tasks for persistence

In that original blog, we also mentioned that there could be an evolution of this cluster to deploy ransomware.
The significance of Chaya_002 became apparent by early November when reports emerged of Interlock ransomware which maintained many of Chaya_002’s core TTPs and expanded its capabilities. This was further confirmed by later analysis in January 2025.

Comparing our original Chaya_002 report and the later reports of Interlock ransomware by other companies reveals a clear evolutionary path. The consistent patterns in infrastructure usage, Powershell code structure, network observables and operational methodology strongly suggest a direct developmental relationship between these malware families. Understanding these relationships and patterns is crucial for threat hunting and defense strategies against future evolutions of this threat actor.

Up until credential access, the activity reported for Chaya_002 and Interlock ransomware are the exact same:

1. For initial access, both showed a consistent pattern in domain names and file names, including initially downloading upd[random_numeric_string].[exe|msix].
2. Both downloaded a second stage from apple-online[.]shop masquerading as a browser update
3. Both maintained persistence via a .lnk file pointing to the initial payload
4. Both collected information from the victim machine such as login data, profiles, cookies and browser history

Beyond this initial similarity, the two further reports observed new TTPs:

1. Credential stealing from a keylogger DLL executed via RunDll32.exe
2. Pre-kerberoasting attempts using Powershell [Note: Although we did not observe Kerberoasting in Chaya_002, it was mentioned in the Canadian advisory CF24-005 we cited in the original report].
3. Lateral Movement using AnyDesk, putty, and RDP
4. Data exfiltration using AzCopy to remote Azure storage
5. Ransomware deployment using an encryptor that enumerates logical disk drives to encrypt files on victim machines

 

The Bigger Picture of Ransomware in Healthcare

The evolution of Chaya_002 into Interlock ransomware underscores the evolution of covert RATs into double-extortion ransomware operators.

Healthcare breaches caused by ransomware operators can impact both finances and patient lives, bearing higher operational risks compared to other sectors, such as extended downtime and patient care disruption.

We have been analyzing significant ransomware incidents in healthcare for years now, including the UK’s NHS in 2022, Rhysida ransomware in 2023 and an overview of ransomware risk in healthcare in 2024. In all this time, we have not noticed any decrease in activity targeting the sector. On the contrary, a recent report from Microsoft reveals that:

• Healthcare organizations that admit to paying ransom demands have paid on average $4.4 million
• Ransomware attacks cost healthcare organizations $900,000 per day on downtime alone.
• These attacks affect both the targeted organizations and other neighboring hospitals which have to care for the patients that cannot be treated in targeted organizations. Some of those ‘ripple effects’ include an increase of 35% on emergency arrivals and 15% in overall patient volume.

Part of the reason why healthcare has become a prominent target sector for ransomware groups is that they have a high pressure to pay the ransom demands due to a combination of this operational impact and potential regulatory penalties.

Another reason is that they have complex networks which are hard to defend. On an average healthcare network, we see thousands of medical devices from infusion pumps to MRI machines which creates a large attack surface. In our recent report on the risks of IoMT devices, we revealed that around 50% of devices in healthcare networks are unmanaged bringing risks, such as lack of visibility and limited possibilities for threat detection.

 

 

Lesson Learned and Recommendations

Chaya_002 was the second cluster we started tracking last year, after the campaign we named Connect:fun from Chaya_001 and the OT/ICS malware we named Chaya_003.

Chaya_002 is also the first cluster that we see evolving so fast into a more disruptive type of activity. This reinforces our motivation for tracking threat actors and sharing this information publicly.

The evolution from Chaya_002 to Interlock ransomware illustrates several key lessons that also lead to recommendations for healthcare organizations:

1. Maintain backup and recovery options

Since data encryption on workstations and medical systems can lead to patient care disruption, regular backups and recovery protocols are essential to reduce downtime. But backups and recovery are unfortunately not enough to avoid the consequences of ransomware.

2. Contain ransomware infections quickly

Ransomware groups increasingly favor encryption with data theft (double extortion) because it pressures organizations to pay in order to protect patient privacy and avoid regulatory fines. This shows that organizations need to ensure they can prevent, detect and contain ransomware infections on time to avoid data exfiltration.

3. Perform continuous risk assessment for proactive defense

The first step to ensure proactive defense against ransomware threats is to have continuous risk assessment for all the assets in the network that could be leveraged for an attack. This includes managed and unmanaged devices. Risk assessment depends on having proper visibility into these assets, including their presence on the network, exposure levels and potential impacts. This right visibility and risk assessment allows to prioritize proactive corrective actions, such as strengthening segmentation or authentication and access controls to prevent unauthorized lateral movement within networks.

4. Use threat detection and threat hunting

Once you have recovery options and the right risk assessment of your network, it’s time to ensure that threat detection and threat hunting encompass all those risky assets identified in the first step. Threat detection from network and endpoint signals is crucial to capture signs of intrusion before sensitive data can be exfiltrated. Similarly, threat hunting based on early indicators and analysis of anomalous patterns, such as suspicious Powershell commands, can find threats before they disrupt your environment. Using the example in this blog, hunting for Chaya_002 indicators could prevent future Interlock infections.

For more help and recommendations, read “Ransomware Mitigation: 3 Ways to Stabilize Your Hospital Network”.

Share This: Share on LinkedinShare on TwitterShare on Facebook