The INTERLOCK ransomware group has added two new victims to its dark web leak site: Apex Spine and Neurosurgery (United States) and Aero Fabrications Limited (United Kingdom). The attack highlights the group's continued cross-sector, international targeting strategy β hitting both healthcare and manufacturing in a single campaign disclosure.
What We Know
Apex Spine and Neurosurgery πΊπΈ
| Detail | Information |
|---|---|
| Industry | Healthcare β Spinal/Neurological Surgery |
| Location | United States |
| Status | Listed on INTERLOCK leak site |
Apex Spine and Neurosurgery is a medical practice specializing in comprehensive neurosurgical care. Healthcare organizations remain prime ransomware targets due to:
- Highly sensitive patient data (PHI) protected under HIPAA
- Critical operational continuity requirements
- Often legacy systems with delayed security updates
- High willingness to pay to restore operations
Aero Fabrications Limited π¬π§
| Detail | Information |
|---|---|
| Industry | Manufacturing β Aerospace/Engineering |
| Location | United Kingdom |
| Files claimed | 18,878 files |
| Folders claimed | 1,134 folders |
| Data volume | ~4 GB |
| Status | Listed on INTERLOCK leak site |
Aero Fabrications operates in the precision manufacturing sector, likely serving aerospace and defense supply chains. Manufacturing targets present attackers with:
- Proprietary engineering designs and specifications
- Supply chain intelligence
- Customer/contract data
- Operational technology (OT) system access
About INTERLOCK Ransomware
INTERLOCK is a relatively newer ransomware operation that emerged in late 2024. The group operates on a double-extortion model:
- Encrypt victim systems β rendering data and operations inaccessible
- Exfiltrate data β threatening public release if ransom isn't paid
INTERLOCK Technical Characteristics
| Attribute | Detail |
|---|---|
| Target platforms | Windows and Linux systems |
| Encryption | Hybrid encryption (AES + RSA) |
| Leak site | Tor-based dark web portal |
| Payment | Cryptocurrency (typically Monero/Bitcoin) |
Unlike ransomware-as-a-service (RaaS) groups that rely on affiliates, INTERLOCK appears to operate as a closed group β maintaining tighter operational security and victim selection.
Healthcare: A Persistent Target
This incident continues the troubling trend of ransomware groups targeting healthcare organizations. Medical practices face unique challenges:
Why Healthcare Is Targeted
- Data value: Medical records sell for 10-40x the price of financial records on dark markets
- Operational pressure: Patient care cannot wait for extended recovery windows
- Compliance liability: HIPAA violations add regulatory pressure beyond ransom demands
- Legacy infrastructure: Medical devices and systems often run outdated software
2025-2026 Healthcare Ransomware Incidents
| Organization | Group | Date | Impact |
|---|---|---|---|
| Change Healthcare | ALPHV/BlackCat | Feb 2024 | $22M ransom, months of disruption |
| Ascension Health | Black Basta | May 2024 | 140 hospitals affected |
| Apex Spine and Neurosurgery | INTERLOCK | Jan 2026 | Under investigation |
Manufacturing Supply Chain Risk
Aero Fabrications' inclusion highlights ransomware groups' interest in manufacturing and aerospace supply chains. The stolen data may contain:
Potential Data Exposure
- Engineering specifications: CAD files, technical drawings, tolerances
- Quality documentation: Inspection reports, certifications, compliance records
- Customer data: Contract details, pricing, order histories
- Process information: Manufacturing procedures, proprietary techniques
For aerospace suppliers, data theft extends risk to:
- Defense contractors relying on the supply chain
- Competing manufacturers seeking intelligence
- Nation-state actors interested in technical capabilities
Double-Extortion in Practice
INTERLOCK's listing of both organizations demonstrates the double-extortion playbook:
Timeline typical for double-extortion attacks:
1. Initial access β Weeks to months before encryption
2. Network reconnaissance β Identify valuable data and systems
3. Data exfiltration β Copy files to attacker infrastructure
4. Encryption deployment β Lock systems, drop ransom note
5. Extortion begins β Pay or data goes public
6. Leak site listing β Public pressure when victims don't pay
The appearance on INTERLOCK's leak site suggests either:
- Ransom negotiations failed β victims refused to pay
- Proof of compromise β demonstrating stolen data to pressure payment
- Deadline approaching β final warning before full data publication
Implications and Response
For Affected Organizations
Organizations listed on ransomware leak sites should:
- Assume full compromise β treat all data as potentially exfiltrated
- Engage incident response β forensics to determine scope and entry point
- Notify affected parties β patients, customers, partners as required by law
- Report to authorities β FBI IC3, CISA, and relevant regulators
- Monitor for data publication β prepare for disclosure scenarios
For Similar Organizations
Healthcare and manufacturing organizations should assess their exposure:
| Action | Priority |
|---|---|
| Verify backup integrity and offline storage | Critical |
| Audit remote access systems (VPN, RDP) | Critical |
| Review privileged access controls | High |
| Test incident response procedures | High |
| Assess data segmentation | Medium |
| Evaluate cyber insurance coverage | Medium |
Key Takeaways
- INTERLOCK ransomware listed two new victims: a US healthcare provider and UK manufacturer
- Cross-sector targeting demonstrates opportunistic, international operations
- Healthcare remains vulnerable due to data sensitivity and operational pressure
- Manufacturing supply chains face intellectual property and customer data risks
- Double-extortion makes data protection as critical as backup strategies
Protecting Against Ransomware
Traditional defenses focus on preventing initial access and maintaining backups. But in the era of double-extortion, preventing data theft is equally important:
- Network segmentation β limit what attackers can access post-compromise
- Data classification β know where sensitive information resides
- Encryption at rest β ensure stolen files are unusable without keys
- Zero-trust architecture β verify every access request
- Endpoint detection β catch encryption attempts early
The organizations affected by INTERLOCK face difficult decisions ahead. For others, this incident is a reminder that ransomware preparedness must address both operational recovery and data exposure scenarios.
Need to ensure your sensitive data remains protected even when attackers gain access? Learn how CIFER's encryption architecture keeps data secure regardless of infrastructure compromise.