The FBI, CISA, HHS, and MS-ISAC have released a joint advisory warning healthcare organizations about Interlock ransomware, a sophisticated threat that has directly targeted hospitals and disrupted patient care delivery since September 2024. The ransomware group employs unusual attack methods and a double extortion model that poses risks to protected health information (PHI) and critical healthcare operations.
What happened
On July 22, 2025, federal agencies published advisory AA25-203A detailing Interlock ransomware's tactics following FBI investigations through June 2025. The advisory reveals that Interlock actors have successfully compromised various healthcare organizations and critical infrastructure sectors across North America and Europe using drive-by downloads from legitimate websites, an uncommon technique among ransomware groups.
The ransomware operation emerged in late September 2024 and has since targeted victims opportunistically for financial gain. Unlike typical ransomware groups, Interlock doesn't include ransom demands in initial notes. Instead, victims receive a unique code and instructions to contact the group through a .onion URL on the Tor network for negotiations.
The intrigue
What makes Interlock particularly dangerous is its deliberate focus on encrypting virtual machines while leaving physical servers untouched, a calculated strategy that maximizes operational disruption while potentially evading some security tools. The group has been observed using both Windows and Linux encryptors, with cybersecurity researchers noting the unusual deployment of a FreeBSD ELF encryptor, marking a departure from standard VMware ESXi-focused attacks.
What’s worse is Interlock's use of the "ClickFix" social engineering technique, where victims are tricked into executing malicious PowerShell commands disguised as CAPTCHA verification. The fake prompt instructs users to open Windows Run, paste clipboard contents, and execute what appears to be a simple verification but is actually Base64-encoded malware.
Why it matters
Healthcare organizations face extreme risks from Interlock's double extortion model. The group both encrypts critical systems and exfiltrates sensitive patient data, threatening to publish PHI on dark web leak sites if ransoms aren't paid. This creates a HIPAA nightmare scenario where covered entities must manage both operational recovery and potential massive data breaches.
John Riggi, American Health Association’s national advisor for cybersecurity, warned that Interlock "has been directly implicated in high-impact ransomware attacks against hospitals and health systems, resulting in the disruption to care delivery and creating a risk to patient and community safety." The targeting of virtual machines is devastating for healthcare providers who rely on virtualized environments for electronic health records, imaging systems, and other applications.
The unusual initial access methods also bypass traditional security awareness training. While employees might recognize phishing emails, compromised legitimate websites that serve malware through drive-by downloads are nearly impossible for users to detect.
What they're saying
FBI Special Agents investigating the cases have noted, "FBI maintains these actors target their victims based on opportunity, and their activity is financially motivated. The drive-by download method is uncommon among ransomware groups, making detection more challenging."
A CISA spokesperson stated, "To date, Interlock actors have been observed encrypting VMs, leaving hosts, workstations, and physical servers unaffected; however, this does not mean they will not expand to these systems in the future."
Looking ahead
Federal agencies expect Interlock to continue evolving its tactics, potentially expanding beyond virtual machines to physical servers and workstations. Healthcare organizations should immediately implement the advisory's recommendations, including deploying endpoint detection and response (EDR) tools specifically on virtual machines—an often overlooked security gap.
The advisory's emphasis on network segmentation becomes a requirement as Interlock uses legitimate tools like Azure Storage Explorer and AnyDesk for lateral movement. Organizations must assume that any internet-facing system could become an entry point through compromised legitimate websites.
FAQs
What are drive-by downloads?
Drive-by downloads happen when malware automatically downloads to your computer just by visiting a website with no clicking required.
What is the ClickFix social engineering technique?
ClickFix is a fake error message or CAPTCHA that tricks users into running malicious code. It displays instructions like "Press Windows+R, then Ctrl+V, then Enter to verify you're human." What users don't realize is that harmful commands have been copied to their clipboard, which they're unknowingly pasting and running.
What are virtual machines (VMs)?
Virtual machines are software-based computers that run inside physical servers, allowing one server to run multiple separate systems. Healthcare organizations use VMs to run electronic health records, imaging systems, and other applications.
What is a .onion URL?
A .onion URL is a special web address that can only be accessed through the Tor browser, which hides users' identities and locations. Criminals use these hidden sites because they're nearly impossible for law enforcement to trace or shut down. Victims must download Tor and navigate to these dark websites to negotiate with the ransomware group.
