InterLock ransomware posted four new victims on May 11 in a single-day escalation of its double-extortion campaign, claiming organizations across healthcare, public libraries, hospitality, and non-profits. Park Dental Research, a US dental research organization, is the most significant healthcare target in the batch — appearing on the same leak site that the FBI and the Department of Health and Human Services warned about in a joint advisory specifically addressing InterLock’s healthcare targeting.
InterLock’s May 11 Victim List Spans Four Sectors in 24 Hours
The four organizations posted on May 11 are: Park Dental Research in the United States, Kent District Library in the United States, Waterford Hotel Group in Ireland, and First United Methodist Church Boerne in Texas. The volume — four victims in a single day across four different sectors and two countries — indicates an active affiliate base capable of running simultaneous operations.
Park Dental Research almost certainly holds protected health information for a significant patient population. A breach of dental research records triggers mandatory breach notification under HIPAA: covered entities and business associates must notify affected individuals and the Department of Health and Human Services within 60 days of discovering a breach affecting 500 or more individuals. The organization must also assess whether the exposure extends to research data subject to additional regulatory frameworks.
Kent District Library, as a public sector institution, holds library card records and patron borrowing histories — data protected under state library confidentiality laws in Michigan. Waterford Hotel Group, based in Ireland, faces GDPR notification requirements for any exposure of guest records. The breadth of sector targeting in a single 24-hour window reflects InterLock’s operational model: rather than specializing in one industry, the group casts a wide affiliate net.
FBI and HHS Had Specifically Warned Healthcare Providers About InterLock
The joint FBI and HHS advisory on InterLock, issued before May 11’s escalation, specifically called out the group’s pattern of targeting healthcare organizations and provided indicators of compromise for network defenders. The advisory elevated InterLock to a named threat in the US government’s health sector threat tracking — a designation that triggers compliance implications for health systems that receive federal funding.
Park Dental Research’s appearance on InterLock’s leak site following that advisory demonstrates a common dynamic: sector-specific government warnings about ransomware groups do not consistently translate to rapid defensive improvements at smaller healthcare organizations. Dental practices and dental research organizations typically lack the security operations infrastructure of large hospital systems, and they hold equally sensitive clinical data.
InterLock’s double-extortion model compounds the regulatory exposure. The group encrypts victim systems to cause operational disruption while separately threatening to publish stolen data on its leak site if payment is not made. For a healthcare organization, the publication of patient health information triggers HIPAA breach notification independent of whether the organization recovers its systems through backups — the data exposure event has already occurred.
InterLock’s Affiliate Expansion Across Non-Healthcare Targets
The inclusion of a library, a hotel group, and a church in the May 11 posting alongside a healthcare victim illustrates InterLock’s affiliate recruitment strategy. Ransomware-as-a-service operations grow their victim volume by lowering the bar for affiliates: providing pre-packaged ransomware, leak site infrastructure, and negotiation support in exchange for a share of ransoms paid.
Non-healthcare targets like Kent District Library and First United Methodist Church Boerne typically lack incident response resources, rarely carry cyber insurance sized to ransomware events, and have limited leverage in negotiation with criminal groups. They are, however, covered by state breach notification laws that create public disclosure requirements even when the organizations themselves prefer to resolve incidents quietly.
Waterford Hotel Group’s inclusion indicates InterLock’s affiliate activity has geographic reach beyond North America, consistent with RaaS operations that recruit affiliates through forums accessible globally. Irish and EU-based victims face GDPR Article 33 breach notification requirements — 72 hours from discovery — adding regulatory urgency to incident response for European organizations on any RaaS group’s victim list.
InterLock’s pace across May 11 suggests the group is in an expansion phase. Four victims in one day across four sectors and two countries is not consistent with a small or newly organized operation.
