The Interlock ransomware gang has claimed the cyberattack on DaVita kidney dialysis firm and leaked data allegedly stolen from the organization.
DaVita is a Fortune 500 kidney care provider with more than 2,600 U.S. dialysis centers, 76,000 employees in 12 countries, and an annual revenue exceeding $12.8 billion.
The healthcare company disclosed to the U.S. Securities and Exchange Commission (SEC) that on April 12 it suffered a ransomware attack that affected some operations. DaVita stated at the time that it was investigating the impact of the incident.
Earlier today, the Interlock ransomware gang claimed the attack on DaVita by adding it to the list of victims published on its data leak site (DLS) on the dark web.
According to the gang’s claim, they have around 1.5 terabytes of data from the healthcare company, or nearly 700,000 files of what appear to be sensitive patient records, information on user accounts, insurance, and even financial details.
The threat actor has published the files on their DLS, indicating that negotiations for getting paid by DaVita have failed. BleepingComputer did not review the contents of the files and could not validate their authenticity.
We have contacted the healthcare company once again for a comment on Interlock’s claims, and a spokesperson has sent us the below statement:
“We are disappointed in these actions against the healthcare community. We are aware that a cybercriminal is claiming responsibility for the recent cyber incident we experienced and has posted data allegedly associated with DaVita to a site they maintain on the dark web.”
“Our investigation into the full scope of this incident remains ongoing with external cybersecurity experts, and we continue to coordinate with the FBI.”
“We are in the process of validating the cybercriminal’s claims and are conducting a thorough review of the data potentially involved.”
“Based on the findings of the investigation and validation of the data, we will notify relevant parties and individuals in accordance with applicable law and regulations.” – DaVita spokesperson
If you have received care at a DaVita center and shared sensitive data with the organization, it is recommended to be vigilant for potential phishing attempts and report suspicious communications to the authorities.
Interlock is one of the newer gangs on the ransomware scene. It launched last September targeting Windows and FreeBSD systems.
Though it does not work with external affiliates, it is a relatively active and evolving threat that has taken responsibility for a dozen attacks. For many of the listed incidents, the threat actor claims to have stolen terabytes of data from the victim networks.
A report from cybersecurity company Sekoia last week presented a shift in Interlock’s tactics, who is now employing ‘ClickFix’ tactics to trick targets into infecting themselves with info-stealers and RATs, eventually leading to the deployment of the encryptor payload.
Update 4/24 – Added statement from DaVita