Full Report
The Kettering Health network based in western Ohio reported a system-wide technology outage that it tracked to "unauthorized access."
Analysis Summary
# Incident Report: Kettering Health Ransomware Attack Disruption
## Executive Summary
Kettering Health, a major nonprofit hospital network in Ohio, experienced a widespread cybersecurity incident beginning on Tuesday morning, resulting in a system-wide technology outage and the cancellation of elective procedures. The incident is strongly suspected to be a ransomware attack perpetrated by the Interlock gang, forcing the organization to rely on procedure checklists to manage patient care. Response actions included containment, investigation, and manual operations while IT systems remained inaccessible.
## Incident Details
- Discovery Date: May 20th, 2025 (The incident began Tuesday morning)
- Incident Date: May 20th, 2025
- Affected Organization: Kettering Health
- Sector: Healthcare
- Geography: Ohio, USA
## Timeline of Events
### Initial Access
- Date/Time: Tuesday morning (May 20th, 2025)
- Vector: Unauthorized access, suspected ransomware deployment.
- Details: A cybersecurity incident resulted in a system-wide technology outage, limiting access to certain patient care systems.
### Lateral Movement
- *Details not explicitly provided in the source; assumed based on the scope of the outage.*
### Data Exfiltration/Impact
- Initial impact was a system-wide technology outage affecting patient care systems.
- Call center was reported down.
- Elective inpatient and outpatient procedures were canceled for the day and rescheduled.
### Detection & Response
- **Detection:** The incident was detected when it began causing system outages Tuesday morning. IT workers reportedly found a ransom note.
- **Response:** The organization took steps to contain and mitigate the unauthorized access. They are actively investigating and monitoring the situation. Emergency rooms and clinics remained open and seeing patients using established contingency procedures.
## Attack Methodology
- Initial Access: Unauthorized Access.
- Persistence: *Not specified.*
- Privilege Escalation: *Not specified.*
- Defense Evasion: *Not specified.*
- Credential Access: *Not specified, but likely involved to cause system-wide outage.*
- Discovery: *Not specified.*
- Lateral Movement: *Implied by system-wide impact.*
- Collection: *Not specified.*
- Exfiltration: *Data exfiltration status is unconfirmed as the attackers are leveraging a ransomware model, but not explicitly ruled out.*
- Impact: System operations disruption, cancellation of elective procedures.
## Impact Assessment
- Financial: *Not specified.* Ransom negotiation status unknown.
- Data Breach: Potentially affected patient data, medical histories, and medication tracking systems, though the extent is unconfirmed.
- Operational: Significant disruption; system-wide technology outage, call center down, and cancellation of elective procedures across 14 medical centers and numerous clinics. Emergency services continued via manual procedures.
- Reputational: Public notification issued via their website regarding the incident.
## Indicators of Compromise
- **Network indicators:** None provided (IPs/Domains defanged).
- **File indicators:** Ransom note allegedly from the "Interlock ransomware gang."
- **Behavioral indicators:** Widespread system-wide technology outage coinciding with the start of business operations Tuesday morning.
## Response Actions
- **Containment:** Steps were taken "to contain and mitigate this activity."
- **Eradication:** Active investigation and monitoring are underway.
- **Recovery:** Organization is utilizing fallback procedures to maintain critical care (ERs/clinics operational). Elective services are being rescheduled.
## Lessons Learned
- The reliance on accessible patient care systems (tracking medications and medical history) makes the healthcare sector highly vulnerable to denial-of-service attacks like ransomware.
- The organization had contingency plans in place ("procedures in place to handle these types of situations") allowing emergency services to remain functional despite the outage.
## Recommendations
- Immediately isolate and investigate the entry point used by the suspected Interlock ransomware group.
- Review and rigorously test offline or manual patient care processing procedures to ensure rapid reversion during system outages.
- Evaluate security controls to limit the blast radius of ransomware to prevent system-wide outages, focusing on segmentation and privileged access management.