Cyber Threat Actor: Interlock
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
1 incident |
|---|
Profile
The threat actor known as Interlock operates as a ransomware group, leveraging extortion tactics to compromise organizational operations. Public reporting links this group to disruptive attacks against the healthcare sector, specifically targeting entities like hospital networks to maximize pressure for financial gain. Interlock’s activities align with broader criminal ransomware patterns, focusing on critical infrastructure where operational disruptions can force rapid payment decisions. The group’s alias remains consistent across attributed incidents, with no additional monikers publicly documented.
A representative Interlock operation involved the May 2025 attack on Ohio-based Kettering Health, which triggered system-wide outages affecting patient care systems and administrative functions. The incident forced the cancellation of elective procedures and disabled call centers, though emergency services maintained limited operations. Forensic evidence, including a ransom note, directly tied the intrusion to Interlock. This campaign exemplifies the actor’s focus on healthcare providers, exploiting their operational criticality to extract payments while causing measurable harm to medical services. The attack mirrored broader criminal ransomware trends impacting essential infrastructure, though Interlock’s specific tooling and intrusion methods remain unspecified in public disclosures. No verifiable affiliations with state actors or other collectives have been reported.
