Kettering Health, a major Ohio-based hospital network with 14 medical centers and over 1,800 medical professionals, suffered a ransomware attack on May 20, 2025, executed by the Interlock ransomware group (RaaS model). The attack triggered a comprehensive IT failure, forcing the cancellation of all elective procedures, disrupting patient care systems, and placing emergency departments on diversion status redirecting ambulances to other facilities. The incident involved lateral movement via RDP, potential use of malicious DLLs (rundll32.exe), and double extortion (data encryption + theft). Scam calls targeting patients for credit card details were reported, suggesting data exfiltration. Neighboring hospitals, like Premier Health, declared a ‘code yellow’ due to increased patient influx. The attack severely impacted operational continuity, patient safety, and regional healthcare resilience, with recovery efforts ongoing alongside cybersecurity teams. The long-term risks include follow-up financial fraud, reputational damage, and potential regulatory penalties for compromised patient data.
Source: https://cybersecuritynews.com/kettering-health-ransomware-attack/
Kettering Health cybersecurity rating report: https://www.rankiteo.com/company/ketteringhealth
"id": "KET5372653112625",
"linkid": "ketteringhealth",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'customers_affected': 'patients across 14 medical '
'centers (exact number '
'unspecified)',
'industry': 'healthcare',
'location': 'Ohio, USA',
'name': 'Kettering Health',
'size': '14 medical centers, 1,800+ medical '
'professionals',
'type': 'hospital network'}],
'attack_vector': ['Remote Desktop Protocol (RDP)',
'social engineering (ClickFix technique)',
'malicious PowerShell commands',
'rundll32.exe execution',
'lateral movement'],
'customer_advisories': ['monitor credit card statements',
'report suspicious calls to law enforcement',
'avoid sharing payment information over the phone'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high (healthcare and financial data)',
'type_of_data_compromised': ['patient data (potential)',
'payment information (targeted '
'in scam calls)']},
'date_detected': '2025-05-20',
'date_publicly_disclosed': '2025-05-21',
'description': 'Kettering Health, a major hospital network operating 14 '
'medical centers across Ohio, confirmed it has fallen victim '
'to a ransomware attack by the Interlock ransomware group. The '
'attack, occurring on May 20, 2025, triggered a comprehensive '
'technology failure, forcing the cancellation of elective '
'procedures and disrupting patient care systems. Emergency '
'services continue under contingency protocols, with '
'ambulances diverted to other facilities. The attack involved '
'unauthorized network access, lateral movement via RDP, and '
'potential data exfiltration. Scam calls targeting patients '
'for credit card information have also been reported.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'downtime': True,
'identity_theft_risk': True,
'operational_impact': ['cancellation of elective procedures',
'emergency department diversions',
'activation of downtime procedures',
'disruption of patient care',
'suspension of payment-related calls'],
'payment_information_risk': True,
'systems_affected': ['electronic health records (EHR)',
'patient care systems',
'payment systems',
'communication systems']},
'initial_access_broker': {'entry_point': ['Remote Desktop Protocol (RDP)',
'social engineering (ClickFix '
'technique)'],
'high_value_targets': ['patient data',
'payment systems']},
'investigation_status': 'ongoing (system restoration and forensic analysis in '
'progress)',
'motivation': ['financial gain (double extortion)', 'data theft'],
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Interlock (RaaS model)'},
'references': [{'date_accessed': '2025-05-21',
'source': 'Kettering Health Official Announcement'},
{'date_accessed': '2025-05-21',
'source': 'Greater Miami Valley EMS Council'},
{'date_accessed': '2025-05-21',
'source': 'Greater Dayton Area Hospital Association '
'Statement'}],
'response': {'communication_strategy': ['public announcement',
'coordination with regional '
'healthcare associations (e.g., '
'Greater Dayton Area Hospital '
'Association)',
'patient advisories on credit '
'monitoring'],
'containment_measures': ['downtime procedures',
'suspension of payment-related calls',
'patient advisories on scam calls'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['system restoration in progress'],
'third_party_assistance': ['external cybersecurity teams']},
'stakeholder_advisories': ['Greater Dayton Area Hospital Association',
'Premier Health (code yellow declaration)',
'Greater Miami Valley EMS Council'],
'threat_actor': 'Interlock Ransomware Group',
'title': 'Ransomware Attack on Kettering Health Disrupts Patient Care Systems',
'type': ['ransomware', 'data breach', 'cyberattack']}