Kettering Health, a major healthcare provider, fell victim to a ClickFix attack linked to the Interlock ransomware group, resulting in a significant data breach. The attack exploited social engineering tactics, tricking employees into executing malicious scripts via browser-based lures (e.g., fake CAPTCHAs or error-fixing prompts). The malicious payload was copied to the clipboard via obfuscated JavaScript and executed locally, bypassing traditional email security and endpoint detection. The breach compromised sensitive patient and employee data, including medical records, financial details, and personally identifiable information (PII). The attack leveraged SEO poisoning and malvertising via Google Search, evading conventional phishing defenses. Despite EDR (Endpoint Detection and Response) being the last line of defense, the obfuscated, user-initiated commands delayed detection, allowing the ransomware to encrypt critical systems. The incident disrupted healthcare operations, risked patient safety due to delayed treatments, and exposed Kettering Health to reputational damage, financial penalties, and potential legal liabilities. The breach underscored vulnerabilities in both technical controls and user awareness, particularly against browser-based, fileless attacks.
Source: https://thehackernews.com/2025/10/analysing-clickfix-3-reasons-why.html
TPRM report: https://www.rankiteo.com/company/ketteringhealth
"id": "ket5232452102025",
"linkid": "ketteringhealth",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Healthcare',
'location': 'USA',
'name': 'Kettering Health',
'type': 'Healthcare Provider'},
{'industry': 'Healthcare',
'location': 'USA',
'name': 'DaVita',
'type': 'Healthcare Provider'},
{'industry': 'Public Sector',
'location': 'Minnesota, USA',
'name': 'City of St. Paul',
'type': 'Government'},
{'industry': 'Education/Healthcare',
'location': 'Texas, USA',
'name': 'Texas Tech University Health Sciences Centers',
'type': 'Educational Institution'}],
'attack_vector': ['Browser-Based Exploitation',
'Malicious JavaScript (Auto-Copy to Clipboard)',
'User-Initiated Command Execution (e.g., PowerShell, mshta, '
'LOLBINs)',
'SEO Poisoning',
'Malvertising (Google Ads)',
'Compromised/Legitimate-Looking Domains',
'Conditional Loading (OS/Geo/IP Targeting)'],
'customer_advisories': ['Users should verify the legitimacy of browser '
'prompts (e.g., CAPTCHAs) before interacting with '
'them.',
'Avoid pasting copied commands from untrusted '
'websites into terminal/PowerShell windows.',
'Report suspicious browser behavior (e.g., unexpected '
'clipboard actions) to IT/security teams.'],
'data_breach': {'data_exfiltration': ['Likely (For Ransomware/APT Groups)'],
'personally_identifiable_information': ['Possible (If '
'Follow-on Attacks '
'Occur)'],
'sensitivity_of_data': ['High (If Credentials/Cookies Lead to '
'Further Compromise)'],
'type_of_data_compromised': ['Credentials',
'Session Cookies',
'Potentially PII '
'(Context-Dependent)']},
'description': 'ClickFix attacks trick users into running malicious commands '
"on their devices by copying malicious code from a webpage's "
'clipboard and executing it locally. These attacks often mimic '
'CAPTCHA challenges or error-fixing prompts and are delivered '
'via SEO poisoning, malvertising, or compromised domains. They '
'bypass traditional email-based security controls and rely on '
'endpoint detection (EDR) as the last line of defense, which '
'is not foolproof. The attacks are linked to threat actors '
'like the Interlock ransomware group and state-sponsored APTs, '
'with notable breaches including Kettering Health, DaVita, '
'City of St. Paul (Minnesota), and Texas Tech University '
'Health Sciences Centers.',
'impact': {'brand_reputation_impact': ['Erosion of Trust (Phishing/Social '
'Engineering)',
'Associated with High-Profile Breaches '
'(e.g., Healthcare, Education)'],
'data_compromised': ['Credentials (Stored in Browsers)',
'Cookies (Session Tokens)',
'Potentially PII (Depending on Follow-on '
'Exploitation)'],
'identity_theft_risk': ['High (If Credentials/Cookies Stolen)'],
'operational_impact': ['Disruption from Ransomware (Linked Cases)',
'Incident Response Overhead',
'Productivity Loss (User Remediation)'],
'payment_information_risk': ['Potential (If Browser-Stored Payment '
'Data Accessed)'],
'systems_affected': ['Endpoints (User Devices)',
'Browsers (Chrome, Edge, Firefox, etc.)',
'Potential Network Lateral Movement']},
'initial_access_broker': {'backdoors_established': ['Potential (Via Stolen '
'Credentials or Malware)'],
'data_sold_on_dark_web': ['Likely (Credentials, '
'PII, or Access '
'Brokerage)'],
'entry_point': ['SEO-Poisoned Search Results',
'Malvertising (Google Ads)',
'Compromised/Legitimate-Looking '
'Domains',
'Watering Hole Attacks'],
'high_value_targets': ['Healthcare (Kettering '
'Health, DaVita)',
'Government (City of St. '
'Paul)',
'Education (Texas Tech '
'University)']},
'investigation_status': 'Ongoing (Evolving Threat)',
'lessons_learned': ['Traditional user awareness training (focused on '
'email/links) is insufficient for browser-based threats '
'like ClickFix.',
'EDR alone is not a reliable defense against '
'user-initiated, context-less command execution.',
'Attackers are leveraging non-email vectors (SEO '
'poisoning, malvertising) to bypass email security '
'controls.',
'Browser-level detection (e.g., malicious copy-paste '
'blocking) is critical for early interception.',
'Conditional loading and geo/IP targeting make lures '
'harder to detect via traditional web crawling.',
'Unmanaged BYOD devices create blind spots in EDR '
'coverage.',
'Future evolution may include fully browser-based attacks '
'(e.g., devtools exploitation) to evade EDR entirely.'],
'motivation': ['Financial Gain (Ransomware, Data Theft)',
'Credential Harvesting',
'Lateral Movement for Targeted Attacks',
'Espionage (APT-Linked)',
'Session Hijacking'],
'post_incident_analysis': {'corrective_actions': ['Deploy browser-based '
'security tools (e.g., Push '
'Security) to detect '
'malicious copy-paste '
'actions.',
'Update user training '
'programs to include '
'ClickFix-style attacks and '
'non-email threat vectors.',
'Enhance EDR configurations '
'to monitor for suspicious '
'command execution '
'patterns, even without '
'file downloads.',
'Implement network-level '
'controls to block known '
'malicious domains used in '
'SEO '
'poisoning/malvertising.',
'Audit and restrict '
'unnecessary LOLBIN access '
'for standard users.',
'Expand threat hunting to '
'include browser telemetry '
'and endpoint correlation '
'for ClickFix indicators.'],
'root_causes': ['Over-Reliance on Email-Centric '
'Security Controls',
'Lack of Browser-Level Detection '
'for Clipboard-Based Attacks',
'User Training Gaps for '
'Non-Traditional Social '
'Engineering',
'EDR Limitations for '
'User-Initiated, Context-Less '
'Commands',
'Unmanaged BYOD Devices with '
'Incomplete EDR Coverage']},
'ransomware': {'data_encryption': ['Yes (In Ransomware-Linked Cases)'],
'data_exfiltration': ['Yes (Double Extortion Tactics)'],
'ransomware_strain': ['Interlock (Linked to ClickFix)']},
'recommendations': ['Implement browser-based security solutions (e.g., Push '
'Security) to detect and block malicious copy-paste '
'actions.',
'Expand user training to cover non-email threats, '
'including fake CAPTCHAs, browser prompts, and social '
'engineering via search ads.',
'Restrict or monitor LOLBINs (e.g., PowerShell, mshta) '
'for non-privileged users, where feasible.',
'Enhance EDR policies to flag suspicious user-initiated '
'commands, even without file-based triggers.',
'Monitor for SEO poisoning and malvertising campaigns '
'targeting your organization’s brand or industry.',
'Audit and secure browser-stored credentials/cookies to '
'mitigate session hijacking risks.',
'Evaluate the security posture of BYOD devices, '
'especially for contractors or remote workers.',
'Deploy conditional access policies to limit exposure '
'from compromised credentials.',
'Participate in threat intelligence sharing to stay '
'updated on evolving ClickFix TTPs.'],
'references': [{'source': 'Push Security Research',
'url': 'https://www.pushsecurity.com'},
{'source': 'Kettering Health Breach (Linked to ClickFix TTPs)'},
{'source': 'DaVita Breach (Linked to ClickFix TTPs)'},
{'source': 'City of St. Paul Breach (Linked to ClickFix TTPs)'},
{'source': 'Texas Tech University Health Sciences Centers '
'Breach (Linked to ClickFix TTPs)'}],
'response': {'containment_measures': ['Browser-Based Malicious Copy-Paste '
'Detection (Push Security)',
'Endpoint Detection & Response (EDR) '
'Monitoring'],
'enhanced_monitoring': ['Browser-Level Telemetry (Push Security)',
'Endpoint Behavior Analysis (EDR)'],
'remediation_measures': ['User Training on Non-Email Threats',
'Restricting Access to LOLBINs (e.g., '
'PowerShell, mshta)',
'Enhanced EDR Policies for '
'User-Initiated Commands'],
'third_party_assistance': ['Push Security (Browser-Based '
'Detection)']},
'threat_actor': ['Interlock Ransomware Group',
'State-Sponsored APTs (Advanced Persistent Threats)',
'Unspecified Cybercriminal Groups'],
'title': 'ClickFix (Fake CAPTCHA) Social Engineering Attacks',
'type': ['Social Engineering',
'Malvertising',
'SEO Poisoning',
'Clipboard Hijacking',
'Fake CAPTCHA',
'Watering Hole Attack'],
'vulnerability_exploited': ['Lack of User Awareness for Non-Email Threats',
'Endpoint Detection Gaps (EDR Limitations)',
'Browser Sandbox Exploitation (Clipboard Access)',
'Unmanaged BYOD Devices',
'Over-Reliance on Email-Based Security Controls']}