Kettering Health, a major hospital network operating 14 medical centers across Ohio, confirmed Tuesday it has fallen victim to a ransomware attack that triggered a comprehensive technology failure across its facilities.
The cyberattack, which occurred on May 20, 2025, has forced the cancellation of all elective procedures and disrupted multiple patient care systems, while emergency services continue to operate under contingency protocols.
“We are currently experiencing a cybersecurity incident resulting from unauthorized access to our network,” Kettering Health stated in an official announcement released Tuesday morning.
.png
)
Attack Impacts Patient Care & Hospital Operations
The health network, which employs over 1,800 medical professionals, immediately implemented downtime procedures designed to maintain patient care despite the loss of electronic systems.
The Greater Miami Valley EMS Council reported that Kettering emergency departments have been placed on diversion status, with ambulances being redirected to other facilities in the region.
Meanwhile, neighboring Premier Health has declared a “code yellow” in anticipation of increased patient volumes resulting from the diversions.
“While the incident is deeply concerning, it is also a powerful reminder of the critical importance of collaboration, preparedness, and resilience in healthcare,” the Greater Dayton Area Hospital Association stated in response to the attack.
The organization emphasized that regional hospitals regularly train for such scenarios through “coordinated drills, downtime documentation and procedures, and real-time communication channels”.
Interlock Ransomware Group Behind Sophisticated Attack
Interlock operates under the Ransomware-as-a-Service (RaaS) model and is known for employing a “double extortion” strategy that combines data encryption with data theft.
The group has recently expanded its capabilities to include the “ClickFix” technique, which deploys malicious PowerShell commands using social engineering tactics.
Technical indicators suggest the attack likely involved lateral movement through Remote Desktop Protocol (RDP), with potential use of tools like rundll32.exe to execute malicious DLLs: rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll.
Encrypted C2 communications over HTTPS typically follow, using obfuscated infrastructure.
Kettering Health has confirmed reports of scam calls targeting its patients. These calls come from individuals claiming to be network representatives requesting credit card information for medical expenses.
The health system has suspended all legitimate payment-related calls until further notice and urges anyone receiving suspicious calls to contact law enforcement.
As Kettering Health continues working with external cybersecurity teams to restore its systems, patients are advised to monitor their credit card statements and remain vigilant against potential follow-up scams that could result from data exfiltration.
The health network has emphasized its commitment to patient safety as it navigates what has become an increasingly common threat to America’s healthcare infrastructure.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
