Interlock and the Kettering Ransomware Attack: ClickFix’s Persistence

In healthcare, every minute of downtime isn’t just a technical problem — it’s a patient safety risk.

CNN recently reported that Kettering Health, a major hospital network in Ohio, was hit by a ransomware attack. According to CNN, the Interlock ransomware group claimed responsibility, sending a chilling reminder that healthcare remains a prime target for this particular ransomware gang.

While technical details of the Kettering attack remain scarce, Interlock’s recent history — and the emergence of browser-based attack chains like ClickFix — should put every CISO on high alert. In fact, HHS released a sector-level alert on ClickFix, due to the severity of the attack and how focused attackers were in targeting healthcare organizations. Again, though it is not yet confirmed that this specific exploit was used at Kettering, Interlock has been linked to ClickFix attacks elsewhere.

While Kettering continues to focus on incident response, for those watching across the industry, what’s clear is the growing role of browser-based attacks in ransomware campaigns, and how, in healthcare environments, these kinds of attacks can be life-threatening.

Healthcare Remains a Top Target

Ransomware actors continue to prioritize healthcare organizations as targets because of the high value placed on continuity of care. Timely access to records, imaging, and communication systems is essential for delivering treatment — so when those systems are disrupted, the operational impact is immediate.

Healthcare organizations are uniquely vulnerable to ransomware for several reasons:

• Dispersed and unmanaged endpoints: Clinicians often use shared workstations, personal laptops, and mobile devices, increasing attack surface.
• High uptime requirements: Any downtime can delay surgeries, diagnostics, or emergency care — forcing quick, sometimes quiet, ransom payments.
• Regulatory pressure: Standards and requirements like HIPAA and HITRUST turn data breaches and outages into costly, reportable incidents.
• High ROI for attackers: Medical data and patient information continues to be the most valuable information sold on the dark web

The stakes are high: In 2024, 67% of healthcare organizations reported a ransomware attack, and research shows that patient care delays increase measurably during major incidents.

Recent examples of healthcare organizations disrupted because of a cyberattack include:

• Change Healthcare (2024): Payment processor attack rippled across the U.S., delaying claims and payments for weeks.
• CommonSpirit Health (2022): 600,000+ patient records exposed, care delayed, millions in costs.
• Universal Health Services (2020): 250 facilities offline, staff forced to revert to paper, patient care disrupted.

As more clinical and operational workflows move into SaaS apps and browser-delivered interfaces, the browser itself is becoming more relevant to healthcare security.

Understanding ClickFix and Browser-Based Tactics

ClickFix is a technique that relies on seemingly legitimate browser interactions — like fake CAPTCHAs or pop-up prompts — to trick users into activating malicious scripts. What makes this approach difficult to detect is that it relies heavily on the browser for clipboard manipulation, with no file download to trigger traditional file-based alerts or network signatures.

Here’s how a ClickFix attack could unfold in a healthcare organization:

1. A healthcare worker visits a compromised website or clicks a phishing link.
2. A fake browser prompt appears (e.g., “Please complete this CAPTCHA to continue”).
3. The user is tricked into copying and running a script (often a PowerShell command), which silently installs malware — sometimes without any download or obvious warning.

SquareX first detailed this technique in 2024 to illustrate a broader challenge: many endpoint and network tools lack visibility into what happens in the browser — including browser extensions, clipboard activity, and in-browser scripting.