Ransomware attacks have revealed a vulnerabilities that have reached an unprecedented size in a healthcare sector and are dangerous. Recently, United Health has revealed that an individual and medical data have been stolen during the Healthcare Lansomwear attack, which has almost doubled the previously disclosed total. 。
This violation indicates how deeply the ransomware permeates the important system, and the patient’s trust and care are balanced.
One of the groups for this vulnerable sector is the Interlock Ranswear Group. Known for calculated sophisticated attacks, they focus on hospitals, clinics and other medical services.
Interlock Ransal Wear Group: Active threat to healthcare
The Interlock Ransal Wear Group is a relatively recent but dangerous player in the world of cyber crimes, and is known for adopting double -expanded tactics.
This method includes encryption of victim’s data to confuse the operation and threaten confidential information if the ransom request is not satisfied. Their main motives are economic interests, and the method has been adjusted to maximize pressure on the goal.
Significant characteristics
Survival: Group has earned initial access using high -quality techniques such as phishing, fake software updates, malicious websites and other techniques. Sustainability: The ability to remain not detected for a long period of time amplifies the damage that they may cause. Quick development: When entering the network, they move quickly, steal confidential data, and prepare the system for encryption. Tailor Lansum request: The group carefully evaluates the value of the stolen data and sets the ransom that can be paid by the victim.
Recent targets by interlock ransomware group
In late 2024, Interlock targeted several medical institutions in the United States, revealed sensitive patient information, and confused the business. Includes victims:
Blockton Neighborhood Health Center: It was infringed in October 2024 and the attack was not detected for almost two months. Legacy treatment service: It was detected in late October 2024. Drugs and alcohol treatment services: compromise data found during the same period.
Interlock ransomware group attack chain
The Interlock Ransal Wear Group will start attacking in a strategic and very deceptive way known as a drive -by compromise. In this way, the group can obtain initial access to the target system by using a cautiously designed fishing website to use unusual users.
Initial attack on ransomware
The attack begins when the interlock group loses an existing legitimate website or registers a new phishing domain. These sites are carefully created so that they can be reliable by imitating reliable platforms such as new sports and software download pages. The site often includes fake updates and links to download tools. This is infected with malicious software on the user’s device when executed.
Example: Any.run’s interactive sandbox detected a domain, Apple-nline.shop, which has been attached as part of the Interlock activity. The latter is designed to deceive users and download malware disguised into legal software.
This tactic effectively bypasses the initial layer of suspicions of the user, but by detection and analysis early, the SOC team quickly identifies malicious domains, blocks access, and is faster than new threats. Corresponding and reducing the potential impact on business management.
Display the analysis session
Apple-online.shop has flagged as part of the interlock activity in any.run sandbox.
Equip the team with a tool to fight cyber threats.
Get a 14 -day free trial and analy the unlimited threats with any.run.
Execution: How to get control of the interlock
When the interlock ransomware group violates the initial defense, the execution phase starts. At this stage, the attacker sets a phase to fully control the victim’s network with an organs developing or infringing the malicious payload.
Interlock ransomware often disguised malicious tools as a legal update to deceive users. The casualties believe that chromium, MSTEAM, or fake updator, which imitates a Microsoft Edge installer, is launched unconsciously and performs daily maintenance. Instead, these downloads activate the remote access tools (rats) and give the attacker a complete access to the infection system.
In the Any.run’s sandbox session, one of the Updaters, Upd_8816295.exe, is clearly identified in the right process tree, indicating the malicious movement and execution flow.
Any.Run’s fake updator analyzed in the sandbox
Click the Malconf button on the right side of the Any.run sandbox session displays the encrypted URL hidden in the fake update.
Analysts are useful for receiving detailed data in a clear and user -friendly format, improving threats to respond workflow, reducing analysis time, and achieving faster and more effective results when fighting cyber threats. Masu.
Any.run A malicious URL reedized in the sandbox
Sensitive access compromise
The next step of the attack is to steal access qualification information. These qualification information gives the attacker to the attacker sideways in the network and further use the victim’s infrastructure.
The Interlock Ransal Wear Group has collected confidential data, such as user names, passwords, and other certification information, using a custom Star tool. According to reports, the stolen information was saved in a file named “Chrgetpdsi.txt” and functioned as a collection point before EXFTRATION.
Using any.run’s TI lookup tool, he revealed that the Stiller had already been detected on the platform in August 2024.
Interlocksteller detected by Any.run
Leading movement: Expansion of scaffolding
In the horizontally moving stage, the attacker spread over the network and accessed additional systems and resources. The Interlock Ransal Wear Group depends on legal remote management tools such as Putty, AnyDesk, and RDP, but is often used in IT teams, but was reused for malicious activities.
Patate detected in Any.run
Data removal: Extracting stolen information
In this final stage, the attacker removes data stolen from the victim’s network and often uses cloud storage services. For example, the Interlock Ranswear Group has used Azure Cloud Storage to transfer data outside the organization.
Inside the Any.run sandbox, you can see how data is transmitted to the attacker control server.
For example, here, the log has clarified the information sent to IP 217.[.]148.142.19 Port 443 during interlock attack.
The data sent to the server managed by the attacker from the rat is clear by the data any.run
Active protection against ransomware in healthcare
The healthcare sector is a major target of an interlock -like ransomware group, and is attacked that risks sensitive patient data, confuses important services, and risks life. Healthcare organizations must continue to be cautious and prioritize cyber security measures to protect the system and data.
Early detection is the key to minimizing damage. By using tools like Any.run sandboxes, the healthcare team identifies an interlock -like threat in the early days of the attack chain, and provides practical insights before data infringement occurs.
By analyzing suspicious files safely, clarifying a compromised indicator (IOCS), and monitoring the network activity, any.run gives the organization to fight the tissue counterattack.
We will start a 14 -day free trial version right now and provide tools to stop ransomware threats before escalating to the team.
Source link
