DaVita

DaVita, a Fortune 500 company specializing in kidney care, experienced a significant data breach resulting in the theft and leak of 1.5 terabytes of data from their systems. The attack was carried out by the Interlock ransomware group, which has been actively targeting businesses and critical infrastructure organizations with double extortion attacks. The stolen data included sensitive information, impacting the company's operations and potentially compromising patient data.

Source: https://www.bleepingcomputer.com/news/security/cisa-and-fbi-warn-of-escalating-interlock-ransomware-attacks/

TPRM report: https://scoringcyber.rankiteo.com/company/davita

"id": "dav946072325",
"linkid": "davita",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Healthcare',
                        'name': 'DaVita',
                        'type': 'Business'},
                       {'industry': 'Healthcare',
                        'name': 'Kettering Health',
                        'size': 'Over 120 outpatient facilities, employs more '
                                'than 15,000 people',
                        'type': 'Business'}],
 'attack_vector': ['Drive-by download from compromised legitimate websites',
                   'FileFix technique'],
 'data_breach': {'data_encryption': True, 'data_exfiltration': True},
 'date_detected': 'September 2024',
 'date_publicly_disclosed': 'June 2025',
 'description': 'CISA and the FBI warned of increased Interlock ransomware '
                'activity targeting businesses and critical infrastructure '
                'organizations in double extortion attacks. The advisory '
                'provides network defenders with indicators of compromise '
                '(IOCs) and mitigation measures.',
 'impact': {'data_compromised': ['1.5 terabytes of data from DaVita']},
 'initial_access_broker': {'entry_point': 'Drive-by download from compromised '
                                          'legitimate websites',
                           'high_value_targets': ['Healthcare sector']},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain through double extortion',
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'Interlock'},
 'recommendations': ['Implement DNS filtering',
                     'Use web access firewalls',
                     'Train users to recognize social engineering attempts',
                     'Keep systems, software, and firmware up to date',
                     'Segment networks',
                     'Establish ICAM policies',
                     'Require MFA for all services'],
 'references': [{'source': 'CISA and FBI Advisory'}],
 'response': {'containment_measures': ['DNS filtering',
                                       'Web access firewalls',
                                       'Network segmentation'],
              'law_enforcement_notified': True,
              'network_segmentation': True,
              'remediation_measures': ['Train users to recognize social '
                                       'engineering attempts',
                                       'Keep systems, software, and firmware '
                                       'up to date',
                                       'Establish ICAM policies',
                                       'Require MFA for all services']},
 'threat_actor': 'Interlock ransomware group',
 'title': 'Increased Interlock Ransomware Activity',
 'type': 'Ransomware'}