The Interlock ransomware gang has claimed the cyberattack on DaVita kidney dialysis firm and leaked data allegedly stolen from the organization.
DaVita is a Fortune 500 kidney care provider with more than 2,600 U.S. dialysis centers, 76,000 employees in 12 countries, and an annual revenue exceeding $12.8 billion.
The healthcare company disclosed to the U.S. Securities and Exchange Commission (SEC) that on April 12 it suffered a ransomware attack that affected some operations. DaVita stated at the time that it was investigating the impact of the incident.
Earlier today, the Interlock ransomware gang claimed the attack on DaVita by adding it to the list of victims published on its data leak site (DLS) on the dark web.
According to the gang’s claim, they have around 1.5 terabytes of data from the healthcare company, or nearly 700,000 files of what appear to be sensitive patient records, information on user accounts, insurance, and even financial details.
Source: BleepingComputer
The threat actor has published the files on their DLS, indicating that negotiations for getting paid by DaVita have failed. BleepingComputer did not review the contents of the files and could not validate their authenticity.
We have contacted the healthcare company once again for a comment on Interlock’s claims, and a spokesperson has sent us the below statement:
We are aware of the post on the dark web and are in the process of conducting a thorough review of the data involved,” DaVita told BleepingComputer.
“A full investigation regarding this incident is still underway. We are working as quickly as possible and will notify any affected parties and individuals, as appropriate.”
“We are disappointed in these actions against the healthcare community and will continue to share helpful information with our vendors and partners to raise awareness on how to defend against these attacks in the future.”
If you have received care at a DaVita center and shared sensitive data with the organization, it is recommended to be vigilant for potential phishing attempts and report suspicious communications to the authorities.
Interlock is one of the newer gangs on the ransomware scene. It launched last September targeting Windows and FreeBSD systems.
Though it does not work with external affiliates, it is a relatively active and evolving threat that has taken responsibility for a dozen attacks. For many of the listed incidents, the threat actor claims to have stolen terabytes of data from the victim networks.
A report from cybersecurity company Sekoia last week presented a shift in Interlock’s tactics, who is now employing ‘ClickFix’ tactics to trick targets into infecting themselves with info-stealers and RATs, eventually leading to the deployment of the encryptor payload.
Update 4/24 – Added statement from DaVita
