On Tuesday morning, a note appeared on Kettering Health Center, Ohio: “Your network was compromised, and we have secured your most vital files”. This ransomware attack, which caused a “system-wide technology outage”, led to the cancellation of elective inpatient and outpatient procedures. This Ransome attack aligns with Mark Galeotti’s argument in his book, ‘The Weaponization of Everything: A Field Guide to the New Way of War’ in which he wrote that the contemporary world has transcended traditional battlefields with cyber attacks as a common tool to destabilise civilian infrastructure.

In the introduction of the book, Galeotti wrote how Japan experienced a cyber-attack that led to a massive outage for 48 hours in the eastern and western parts of Japan.  Having no electricity, the whole country was at the cusp of societal collapse, including fatalities in intensive care units where backup generators were not enough or were too slow to come online. In this line, the recent ransom attack on Ohio’s medical centre epitomizes Galeotti’s thesis that the world has become an open battleground where everything is weaponized, including power grids, healthcare, information, and even culture, suggesting a war of all against all. 

Interlock Behind the Scenes 

The ransom attack on Kettering Health of Ohio is being attributed to the ransomware gang Interlock, reflecting Galeotti’s depiction of a world where non-state actors exploit vulnerabilities in critical infrastructure to extort concessions and destabilize public institutions. 

MSN reported that the spokesperson of Kettering Health declined to share any details about the cyberattack other than the network statement. 

About this cyberattack, the Federal Bureau of Investigation, the Department of Health and Human Services, and the US Cybersecurity and Infrastructure Security Agency have also refrained from commenting. 

Interlock Modus Operandi:

According to Sekoia, Interlock first surfaced in September 2024 and has a Data Leak Site (DLS) called ‘Worldwide Secrets Blog’. 

The gang operates in a structured, multi-stage attack chain. It first deceives the users and gains access to the website, ultimately deploying ransom for double extortion. The attack typically begins with the compromise of legitimate websites, which are then used to host fake browser update installers, impersonating software like Google Chrome or Microsoft Edge. Then, unsuspecting victims are tricked into manually downloading and executing these installers, which are actually PyInstaller files.

Until now, there has been no update on the methodology adopted by Interlock to access the network of Kettering Health Center. However, it can be predicted that Interlock deceived the users of the Kettering Health Center website and then deployed a ransom note. 

Case Study of Change Healthcare Cyber-attack: Lessons for Kettering Health Center

In 2024, a cyber attack on Change Healthcare demonstrated striking revelations about the vulnerability of the cyber landscape of US medical centres. A post-cyber attack survey by the American Medical Association (AMA) found that respondents continued to face issues with multiple operations even after the service was restored. According to the findings, 60% continue to face challenges in verifying patient eligibility, 75% still face barriers with claim submission, 79% still cannot receive electronic remittance advice, and 85% continue to experience disruptions in claim payments.

These findings are alarming for Kettering Health Center, as there is a possibility of continuous disruption to be faced by the Ohio health centre, like the one Change Healthcare faced. Moreover, these ransom attacks also give lessons to other medical centres that the world has become an open battlefield where everything is weaponized. Leaving the websites unguarded could lead to data leaks of patients and operational disruption of the whole medical centre.