Full Report
On May 20, 2025, CNN reported that a ransomware attack had triggered a “system-wide technology outage” at Kettering Adventist Health in Ohio. Disclosures by Kettering Health would later explain that the healthcare system had been attacked by InterLock, a ransomware gang who were threatening to destroy data and publish data if their demands were not... Source
Analysis Summary
# Incident Report: Kettering Adventist Health Ransomware Outage (May 2025)
## Executive Summary
Kettering Adventist Health in Ohio suffered a significant ransomware attack by the InterLock gang, beginning with initial access in April 2025 and publicly impacting operations by May 20, 2025. The attack caused a system-wide technology outage lasting over two weeks, disrupting patient appointments and services. Threat actors exfiltrated approximately 950 GB of data, including sensitive patient information protected under HIPAA, escalating the incident beyond a mere operational disruption.
## Incident Details
- Discovery Date: April 9, 2025 (Inferred, based on initial access date and subsequent ransomware deployment)
- Incident Date: May 20, 2025 (Date of reported system-wide outage)
- Affected Organization: Kettering Adventist Health
- Sector: Healthcare
- Geography: Ohio, USA
## Timeline of Events
### Initial Access
- Date/Time: April 9, 2025
- Vector: Unknown (Implied initial compromise)
- Details: Attackers first gained unauthorized access to the network.
### Lateral Movement
- Date/Time: Post-April 9, 2025, leading up to ransomware deployment.
- Vector: Unknown
- Details: Attackers spent time establishing a foothold before deploying ransomware, indicating potential internal reconnaissance and privilege escalation.
### Data Exfiltration/Impact
- Date/Time: Prior to May 20, 2025.
- Vector: Data Exfiltration
- Details: Attackers exfiltrated approximately 950 GB of data (732,490 files, 20,251 folders). Ransomware was deployed, locking parts of Kettering’s files.
### Detection & Response
- Date/Time: Mid-May 2025 (First public report of system-wide outage on May 20, 2025).
- Vector: Internal detection following ransomware execution.
- Details: Kettering responded immediately to secure systems and began restoration efforts. InterLock officially listed the organization on its dark web leak site on June 4, 2025. Kettering reported the incident to HHS on July 21, 2025.
## Attack Methodology
- Initial Access: Not explicitly detailed in the source material, but the prolonged dwell time (April 9 to mid-May) suggests initial access methods like phishing, exploiting internet-facing services, or compromised credentials.
- Persistence: Unknown, but necessary to achieve large-scale data exfiltration and ransomware deployment.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Likely conducted internal reconnaissance given the scope of data exfiltration (950 GB).
- Lateral Movement: Essential for deploying ransomware across the network, impacting systems across the healthcare provider.
- Collection: Targeted data leading to the exfiltration of 950 GB of organizational and potentially patient/staff data.
- Exfiltration: Data was moved to the threat actors' controlled environment for public proof/extortion.
- Impact: Encryption of files via ransomware and successful exfiltration of sensitive data with threats to publish.
## Impact Assessment
- Financial: Costs associated with remediation, system rebuilding, and regulatory compliance efforts (unspecified). A lawsuit was filed in Ohio courts.
- Data Breach: High severity. Approximately 950 GB of data containing names, SSNs, financial account numbers, driver’s license numbers, medical/treatment information, health insurance details, billing/claim information, passport numbers, and usernames/passwords were potentially accessed or exfiltrated.
- Operational: System-wide technology outage for over two weeks, requiring delays and rescheduling of appointments and impacting patient record access.
- Reputational: Public reporting via CNN and ongoing scrutiny regarding the severity of the patient data exposed and the organization's public disclosures.
## Indicators of Compromise
- Attack Group Affiliation: InterLock Ransomware Gang
- Network Indicators: (None provided in source, focus on threat actor name)
- File Indicators: Encrypted files associated with ransomware deployment.
- Behavioral Indicators: Unauthorized large-scale data staging and exfiltration (950 GB).
## Response Actions
- Containment measures: Implemented immediately upon detection (inferred: network segmentation, isolation of affected systems).
- Eradication steps: Cooperation with cybersecurity experts and law enforcement.
- Recovery actions: Focus was placed on restoring safe access to care for patients, resulting in a multi-week outage period. Ransom payment status was not publicly disclosed.
## Lessons Learned
- Dwell time significantly impacts impact: The attackers had access for over a month (April 9 to mid-May) before the ransomware was deployed, allowing extensive reconnaissance and data collection.
- Transparency gap: The notification letters sent to affected individuals reportedly did not explicitly mention the exfiltration and publishing of PHI on the dark web, raising compliance and trust concerns.
## Recommendations
- Enhance proactive threat hunting: Shorted the detection timeline to identify initial unauthorized access earlier than one month post-compromise.
- Strengthen access controls and MFA enforcement: Assume credentials were a vector and limit standing access that allows for multi-week lateral movement and large-scale exfiltration.
- Review communication strategy: Ensure patient notifications comprehensively detail the full scope of the breach, including data exfiltration onto dark web leak sites, as required by regulatory guidance.