A ransomware attack on Kettering Health, a network of 14 medical centers in Ohio, has caused a system-wide technology outage, forcing the cancellation of elective inpatient and outpatient procedures. While emergency rooms remain operational, the incident has disrupted operations across the network and prompted a scramble to contain the damage. The ransomware note, attributed to the Interlock gang, threatens to leak sensitive data unless a ransom is paid. This is part of a wider trend: in 2023, the healthcare sector led all critical infrastructure sectors in reported ransomware incidents, reflecting persistent cybersecurity vulnerabilities. Similar attacks on Ascension and UnitedHealth Group have recently demonstrated the direct patient impact of such breaches.
Debbie Gordon, CEO and Founder, Cloud Range:
“We keep seeing healthcare systems pushed to the brink—not by medical emergencies, but by cyberattacks that disable basic operations. The Kettering Health attack is yet another example of why tabletop exercises and simulation-based training programs are essential. Responding to ransomware is not only about technology; it’s about people knowing what to do when systems go down. Clinical staff, IT teams, and executives all need to rehearse how to operate effectively under pressure. The faster we normalize this kind of preparedness, the more resilient our healthcare infrastructure will become.”
Gunter Ollmann, CTO, Cobalt follows with this:
“The healthcare sector continues to be disproportionately targeted by ransomware groups because it presents a high-pressure environment where disruption can immediately impact patient lives. This urgency increases the likelihood of ransom payment, making hospitals prime targets for attackers looking for quick returns. But these incidents are more than just criminal opportunism—they’re warning shots for what cyber warfare could look like. The same vulnerabilities being exploited now would be leveraged in future geopolitical conflicts to destabilize critical infrastructure. Offensive security gives us the ability to simulate these high-stakes scenarios and uncover weak points before the stakes become national.”
This incident underlines how vulnerable the health care sector is to cybercrime. I’ve said it before and I will say it again. Urgent action needs to be taken to make this sector less of a target.
UPDATE: I have additional commentary starting with Rebecca Moody, Head of Data Research at Comparitech:
“This attack has been linked to the ransomware gang Interlock. Since it first emerged back in October 2024, we’ve tracked 16 confirmed attacks via this group, while a further 17 remain unconfirmed by the victims involved. Today, Interlock also came forward to claim a large-scale attack on West Lothian Council, UK, which has been disrupting its school network for over a week.”
“Four of Interlock’s confirmed attacks are on healthcare organizations in the US. It was also confirmed as the gang involved in the attack on kidney dialysis company, DaVita, in April 2025, and the 2024 attacks on Brockton Neighborhood Health Center (which led to 97,488 people having their data breached) and Drug and Alcohol Treatment Service, Inc. (which impacted 22,215 people). Interlock was also behind the huge data breach on Texas Tech University Health Sciences Center, which involved nearly 1.5 million records.”
“So far this year, we’ve tracked 24 confirmed attacks on US healthcare companies in total, with nearly 1.6 million records breached across these attacks. While this attack on Kettering Health is in its early stages, it’s highly likely Interlock will have stolen data and will release this if its ransom demands aren’t met.”
Erich Kron, Security Awareness Advocate at KnowBe4 had this to say:
“Sadly, the organizations that are charged with ensuring our health and safety are often the biggest targets of ransomware actors due to the sensitive information they collect and the time sensitive nature of their mission. This sensitivity to time gives the cybercriminals significant leverage when attempting to collect a ransom from organizations that have been left in a severely limited condition, or in some cases unable to provide services at all. While in this case it seems that only elective surgeries are being rescheduled, that doesn’t mean that the patients waiting for these surgeries are not uncomfortable or having issues.”
“Sometimes these procedures must be scheduled months in advance to find an available time on the schedule, especially in cases such as this where the organization is a nonprofit and is likely quite busy. This means that even though rescheduling is an option, it may push back their procedure by weeks or maybe even months.”
“In addition to the issues related to the inability to provide services, health care is a heavily regulated industry, and most ransomware actors will steal a copy of the most sensitive data they can get a hold of and threaten the organization with potentially leaking this information. Not only do the patients have to reschedule their procedures, but information such as their Social Security numbers, medical history, and other sensitive things are at risk of being dumped on the internet, making them more susceptible to future attacks from cybercriminals and possibly revealing embarrassing medical issues. There are also significant fines that may be leveraged by regulatory committees for the exposure of data in health care organizations.”
“Since most ransomware is spread through social engineering, such as email phishing or text message phishing, organizations in the healthcare industry especially need to ensure that they have a robust human risk management (HRM) in place, that data is being kept from leaving the network through data loss prevention (DLP) controls, and that they have backups that are tested on a regular basis, and kept off site or in an immutable state period.”
Additionally, Comparitech researchers today published a blog reporting another healthcare breach — this one a Montana hospital breach now confirmed to have compromised patient names, SSNs, DOBs, ID numbers, financial information, and more. This breach was claimed by ransomware gang Meow. For full details, please see here: https://www.comparitech.com/news/montana-hospital-data-breach-leaks-ssns-medical-and-financial-info/
UPDATE #2: Ensar Seker, CISO at SOCRadar adds this comment:
“The ransomware attack on Kettering Health is yet another stark reminder that cyberattacks in healthcare are no longer just data breaches. They are public health emergencies. When a system-wide outage results in canceled procedures and disrupted emergency operations, the consequences extend far beyond the digital domain and directly impact patient outcomes.”
“Healthcare systems like Kettering operate highly complex, interconnected environments with legacy infrastructure, fragmented security oversight, and tight operational margins. This makes them prime targets for ransomware groups, who know that the urgency of patient care often leads to faster ransom payments and less resistance. Disruption to electronic health records, scheduling, communications, and diagnostics can paralyze clinical operations, leading to delayed care, misdiagnoses, and even loss of life in worst-case scenarios.”
“This incident also reflects a growing trend. Threat actors are targeting not just data, but availability. The aim is to inflict operational chaos, knowing that healthcare providers must act fast. The fact that Kettering was forced to cancel both inpatient and outpatient procedures indicates a deep-level compromise of core infrastructure, not just a containment effort at the perimeter.”
“Hospitals must prioritize segmentation of critical systems, implement ransomware-specific playbooks, and invest in 24/7 threat detection tied to real-time operational impact assessments. Moreover, this reinforces the need for industry-wide collaboration, sharing IOCs, TTPs, and breach intel in real time to help other healthcare organizations stay ahead of similar attacks.”
“Ultimately, we need to treat ransomware in healthcare as a patient safety issue first, cybersecurity issue second. As long as these attacks continue to disable essential care services, they must be met with the same urgency as any other emergency affecting human lives.”
2,300 Domains Seized in Lumma Infostealer Disruption
Posted in Commentary with tags Microsoft on May 21, 2025 by itnerdMicrosoft’s Digital Crimes Unit facilitated the takedown, suspension, and blocking of about 2,300 malicious domains that formed the infrastructure backbone of Lumma Stealer, an info-stealing malware used by hundreds of cyber threat actors to steal passwords, credit cards, bank accounts, and cryptocurrency wallets. Lumma Stealer has also enabled criminals to hold schools for ransom, empty bank accounts, and disrupt critical services.
Microsoft has a blog post on this here: https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/
Ensar Seker, CISO at SOCRadar, commented:
“The coordinated takedown of Lumma Stealer’s infrastructure marks a pivotal moment in combating the proliferation of Malware-as-a-Service (MaaS) platforms. Lumma Stealer, also known as LummaC2, has been a formidable tool in the cybercriminal arsenal, facilitating the theft of sensitive data including credentials, financial information, and cryptocurrency wallets from nearly 400,000 Windows systems globally between March and May 2025.
“This operation, led by Microsoft’s Digital Crimes Unit in collaboration with international law enforcement agencies, successfully seized over 2,300 domains integral to Lumma’s operations and dismantled its command-and-control infrastructure . Such actions not only disrupt the immediate threat but also send a clear message to cybercriminals about the increasing capabilities and resolve of global cybersecurity alliances. However, the resilience of such malware underscores the necessity for continuous vigilance. Lumma’s ability to adapt employing phishing, malvertising, and exploiting trusted platforms highlights the evolving tactics of threat actors.
“While this takedown is a commendable achievement, it also serves as a reminder of the persistent and evolving nature of cyber threats. Ongoing collaboration between private sector entities and international law enforcement is essential to stay ahead.”
Takedowns are nice. But sometimes they’re a game of “whack a mole” where the threat actors pop up someplace else. Which is why these sorts of efforts need to be ongoing and not a one time thing.
1 Comment »