Full Report
The Ohio-based Kettering Health system said a recent cyberattack was by the Interlock ransomware gang, which had claimed to steal troves of data from the organization.
Analysis Summary
# Incident Report: Kettering Health Ransomware Attack
## Executive Summary
Kettering Health, a major healthcare system in Ohio, suffered a system-wide ransomware attack attributed to the Interlock ransomware group starting on May 20th. The incident caused significant operational disruption, forcing cancellations of elective procedures and diversion of ambulances due to outages affecting internal systems, phone lines, and the Electronic Health Record (EHR) system. The organization has since contained the threat, removed attacker persistence mechanisms, and is focused on full system recovery and enhanced security posture.
## Incident Details
- **Discovery Date:** On or shortly after May 20, 2025 (when systems went offline).
- **Incident Date:** Began on May 20, 2025.
- **Affected Organization:** Kettering Health (Operating 14 medical centers and dozens of clinics).
- **Sector:** Healthcare.
- **Geography:** Ohio (primarily Dayton area).
## Timeline of Events
### Initial Access
- **Date/Time:** May 20, 2025 (start of outage).
- **Vector:** Ransomware deployment (Interlock group).
- **Details:** The ransomware attack began, immediately knocking internal systems, phone lines, and the EHR system offline, leading to immediate operational impact.
### Lateral Movement
- *Details not explicitly provided in the source regarding the specific steps taken by the threat actors beyond the initial compromise leading to system-wide encryption/disruption.*
### Data Exfiltration/Impact
- The Interlock group claimed to have stolen "troves of data," offering samples including financial records.
### Detection & Response
- **How it was discovered:** Discovered when internal systems, including phone lines and the EHR, went offline. A ransom note was allegedly found by IT workers.
- **Response actions taken:** Over 200 personnel (internal and external experts) worked on recovery. All "tools and persistence mechanisms" were allegedly removed, and affected systems secured. Network segmentation and enhanced monitoring were implemented with external cybersecurity partners.
## Attack Methodology
- **Initial Access:** Via unspecified method leading to ransomware deployment.
- **Persistence:** Interlock utilized "persistence mechanisms" that needed to be removed during eradication.
- **Privilege Escalation:** *Not specified.*
- **Defense Evasion:** *Not specified in detail, but implied successful evasion led to system-wide outage.*
- **Credential Access:** *Not specified.*
- **Discovery:** *Not specified.*
- **Lateral Movement:** *Implied, as the attack was system-wide.*
- **Collection:** Data theft occurred, allegedly including financial records.
- **Exfiltration:** Data was exfiltrated prior to or during the encryption phase.
- **Impact:** System-wide technology outages, inability to use phone lines, EHR unavailability, cancellation of elective procedures, and ambulance diversion.
## Impact Assessment
- **Financial:** *Not disclosed.*
- **Data Breach:** Claims of stolen data including financial records. Volume and specific records unknown.
- **Operational:** Severe disruption; cancellation of elective procedures, ambulance diversions, and challenges with patient communication and scheduling until EHR components were brought back online.
- **Reputational:** Public confirmation of a major system outage requiring external assistance for remediation (though efforts to restore trust are underway).
## Indicators of Compromise
- *No specific IoCs (IPs, domains, hashes) were provided in the text to defang.*
- **Behavioral indicators:** System-wide outage coinciding with ransomware deployment; discovery of a ransom note attributed to Interlock.
## Response Actions
- **Containment measures:** Removal of all identified "tools and persistence mechanisms" used by the ransomware gang.
- **Eradication steps:** Thorough review of all systems conducted by internal and external partners.
- **Recovery actions:** Relaunching components of the EHR system; enhancing network segmentation, monitoring, and access controls; working to restore inbound/outbound calling capabilities.
## Lessons Learned
- Major healthcare systems remain high-value targets for sophisticated ransomware groups like Interlock.
- Significant operational risk exists when core systems (like EHRs and telephony) are disrupted simultaneously.
- The immediate response required a large, coordinated effort (over 200 staff/experts).
## Recommendations
- Proactively segment networks to limit the potential blast radius of ransomware from affecting core clinical systems.
- Immediately implement enhanced monitoring across all critical infrastructure layers.
- Review and strengthen access controls organization-wide.
- Develop and consistently test comprehensive recovery plans for EHR and communication systems independent of primary vendor support if possible.