As a small healthcare provider, you focus on caring for your patients, but a new cyber threat called Interlock ransomware is putting medical practices like yours at risk. This malicious software can lock your files, steal sensitive patient data, and disrupt your operations, causing significant harm. Recent attacks have targeted healthcare providers, making it critical to understand how Interlock works, its consequences, and what you can do to protect your practice. In this blog post, we’ll break it down in simple terms and share actionable steps to keep your practice safe.

What is Interlock Ransomware?

Interlock ransomware is a type of harmful software that locks your computer files and demands payment to unlock them. It also steals sensitive information, like patient records, and threatens to leak it online if you don’t pay. First identified in September 2024, Interlock has quickly become a serious threat, especially for healthcare providers. It targets both Windows and Linux systems, including virtual machines, and has hit organizations across North America and Europe, with a particular focus on healthcare.

How Does Interlock Get Into Your Systems?

Interlock uses sneaky tactics to infect your computers, often relying on human error to gain access. Here’s how it typically works:

• Fake Website Downloads (Drive-by Downloads): Hackers compromise legitimate websites, like news or retail sites, to trick users into downloading malware disguised as software updates (e.g., a fake Google Chrome or Microsoft Edge update). Visiting these sites can automatically install Interlock on your device without you realizing it.
• Fake Error Messages (FileFix or ClickFix): You or an employee might see a pop-up or webpage that looks like a CAPTCHA or an error message, asking you to copy and paste a command or click a link to “fix” a problem. These actions secretly install Interlock.
• Social Engineering: Interlock relies on tricking people through phishing emails or fake IT tools that appear legitimate but deliver malware.

Once inside, Interlock spreads across your network, steals data (like patient records), and encrypts your files, adding “.interlock” to their names (e.g., patient_record.pdf becomes patient_record.pdf.interlock). The attackers leave a ransom note with a unique code, instructing you to contact them via a hidden website on the dark web to negotiate payment. They use a “double extortion” tactic, demanding payment to unlock your files and to prevent your stolen data from being leaked online.

Why Is Interlock So Dangerous for Healthcare Providers?

Interlock is a severe threat because it targets the heart of your practice: patient data and operational systems. The consequences can be catastrophic:

• Patient Data Breaches: Stolen records, including names, Social Security numbers, and medical details, can be sold on the dark web or leaked publicly, violating HIPAA regulations. For example, Interlock claimed responsibility for a 2024 attack on Texas Tech University Health Sciences Center, compromising 1.46 million patient records.
• Operational Disruptions: Locked files can halt access to electronic health records (EHRs), appointment schedules, or billing systems, delaying patient care. Recent attacks on providers like DaVita and Kettering Health caused significant disruptions.
• Financial Losses: Ransoms can range from thousands to millions of dollars. A Microsoft report noted that healthcare organizations paying ransoms averaged $4.4 million in costs, plus $900,000 per day in downtime. Legal fees and fines for data breaches add to the burden.
• Loss of Patient Trust: A breach can damage your reputation, causing patients to lose confidence in your ability to protect their information.
• Legal and Regulatory Penalties: Failing to secure patient data can lead to HIPAA violations, fines, and lawsuits. For instance, class-action lawsuits followed Interlock’s attack on Texas Tech.

The FBI, CISA, and other agencies warned in July 2025 that Interlock is escalating its attacks, with healthcare as a primary target due to the value of patient data and the urgency to restore operations.

Recent News: Interlock’s Growing Threat

Interlock has been making headlines for its aggressive attacks on healthcare providers:

• July 2025 Advisory: The FBI, CISA, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory highlighting Interlock’s tactics, including its use of drive-by downloads and FileFix social engineering. They noted attacks on healthcare providers like DaVita and Kettering Health, as well as other sectors.
• June 2025 Incidents: Investigations revealed Interlock’s attacks on healthcare organizations, with hackers using tools like NodeSnake and a new PHP-based remote access trojan (RAT) to infiltrate networks.
• Evolving Tactics: Interlock has developed new tools, such as a PHP-based RAT detected in June 2025, and shares similarities with the Rhysida ransomware group, suggesting it may be a splinter faction.
• High-Profile Breaches: In addition to Texas Tech, Interlock targeted Legacy Treatment Services, stealing 170 GB of data, and other healthcare providers, showing its focus on the sector.

The advisory emphasizes that Interlock’s attacks are financially motivated, exploiting vulnerabilities in organizations with weak security. Its ability to target both Windows and Linux systems makes it particularly versatile and dangerous.

Actions You Can Take Today to Protect Your Practice

You don’t need to be a tech expert to defend against Interlock. The FBI and CISA recommend these practical steps to protect your practice now:

1. Prevent Initial Access:
   • Use DNS Filtering: Set up domain name system (DNS) filtering to block access to malicious websites. Your IT provider can configure this to stop employees from visiting compromised sites that deliver Interlock.
   • Install Web Access Firewalls: These act like a digital gatekeeper, blocking harmful commands from suspicious websites. Ask your IT team to set this up.
   • Train Staff to Spot Social Engineering: Educate your employees to recognize phishing emails, fake updates, or suspicious pop-ups (like FileFix or ClickFix). Teach them to avoid clicking links or downloading files from unknown sources and to report anything unusual. Regular training can make a big difference.
2. Mitigate Known Vulnerabilities:
   • Keep all your computers, software (like EHR systems), and devices (like medical equipment) updated with the latest security patches. Hackers exploit outdated systems, so ask your IT provider to ensure your operating systems, software, and firmware are current. Schedule regular updates to stay protected.
3. Segment Your Network:
   • Divide your network into separate sections (like isolating patient records from billing systems) to limit how far Interlock can spread if it infects one computer. This is called network segmentation and can be set up by your IT team to restrict “lateral movement” of malware.
4. Implement Identity and Access Management with MFA:
   • Create strong policies for managing user accounts and passwords (known as identity, credential, and access management, or ICAM). Ensure only authorized staff access sensitive systems.
   • Require multifactor authentication (MFA) for all accounts, especially for email, EHRs, and remote access. MFA adds a second step (like a code sent to your phone) to logins, making it harder for hackers to use stolen passwords. Your IT provider can enable MFA across your systems.

Additional Tips:

• Back Up Your Data: Regularly back up patient records and critical files to a secure, offline location (like an external hard drive or encrypted cloud service). Test your backups to ensure you can restore them quickly if attacked.
• Use Antivirus and Endpoint Detection: Install reputable antivirus software and consider endpoint detection and response (EDR) tools to catch malware early. Your IT provider can recommend solutions.
• Monitor for Suspicious Activity: Use network monitoring tools to detect unusual activity, like unauthorized logins. Ask your IT team to set up alerts for suspicious behavior.

If you suspect an attack, contact We Know Cyber immediately and report it to the FBI’s Internet Crime Complaint Center (ic3.gov).

The Severity of the Threat

Interlock is a high-severity threat for small healthcare providers. Its focus on healthcare, use of sophisticated tactics like drive-by downloads and FileFix, and double extortion strategy make it particularly dangerous. The healthcare sector is a prime target because patient data is valuable on the black market, and disruptions can pressure providers to pay ransoms quickly to restore care. With attacks escalating in 2025, small practices with limited IT resources are especially vulnerable. Taking action now is critical to avoid devastating financial, legal, and reputational damage.

Stay Proactive, Stay Safe

Interlock ransomware is a growing danger, but you can protect your practice by acting today. By implementing DNS filtering, web access firewalls, staff training, regular updates, network segmentation, and MFA, you can significantly reduce your risk. Work with your IT provider to put these measures in place and stay vigilant for suspicious emails, websites, or error messages. Protecting your patients’ data and your practice’s operations starts with these simple, effective steps.

For more information, check the FBI and CISA’s July 2025 advisory (cisa.gov) or contact the professionals at We Know Cyber to secure your systems.