jThe Interlock ransomware group has taken credit for a recent cyberattack on DaVita, a leading U.S. kidney care provider. The group claims to have exfiltrated a significant amount of data, which it has now leaked on the dark web.
DaVita, a Fortune 500 company, operates over 2,600 dialysis centers across the U.S., employs around 76,000 people in 12 countries, and generates more than $12.8 billion in annual revenue. On April 12, the healthcare giant informed the U.S. Securities and Exchange Commission (SEC) that it had been hit by a ransomware incident that disrupted some operations. At the time, the company said it was assessing the impact.
Earlier today, the Interlock group publicly listed DaVita as a victim on its data leak site (DLS) hosted on the dark web. The cybercriminals claim to have stolen approximately 1.5 terabytes of data, including around 700,000 files containing sensitive information—ranging from patient records and user account data to insurance documents and financial details.
The leaked files were released following what appears to be a failed negotiation between Interlock and DaVita. The authenticity of the exposed files has not been independently verified by BleepingComputer.
In response to the data leak, a DaVita spokesperson told BleepingComputer: "We are aware of the post on the dark web and are in the process of conducting a thorough review of the data involved."
"A full investigation regarding this incident is still underway. We are working as quickly as possible and will notify any affected parties and individuals, as appropriate."
"We are disappointed in these actions against the healthcare community and will continue to share helpful information with our vendors and partners to raise awareness on how to defend against these attacks in the future."
Patients who have received care at DaVita facilities are advised to remain alert for phishing attempts and report any suspicious activity to authorities.
Interlock emerged in the ransomware scene in September last year, primarily targeting Windows and FreeBSD systems. Unlike many groups, Interlock does not collaborate with affiliates but has demonstrated increasing activity and sophistication.
A recent report by cybersecurity firm Sekoia highlighted a shift in Interlock’s approach. The group is now using “ClickFix” techniques to deceive victims into deploying info-stealers and remote access trojans (RATs)—a method that paves the way for ransomware deployment.
