The rise of Inc ransomware has become a growing concern, especially with the recent targeting of American healthcare organizations by a well-known threat actor named Vice Society. This group, also known as Vanilla Tempest and operating since July 2022, has been utilizing various ransomware families like BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin, and its custom-made Inc ransomware to carry out double extortion attacks.

According to Microsoft Threat Intelligence Center (MSTIC), Vice Society’s use of Inc ransomware marks a significant shift in their tactics. Jeremy Dallman, MSTIC’s senior director of threat intelligence, emphasized the group’s impact on the healthcare sector and the broader ransomware landscape. While Vice Society has targeted industries like IT and manufacturing, their primary focus remains the education and healthcare sectors.

Healthcare organizations have increasingly become prime targets for cybercriminals due to the nature of the sensitive data they possess. Check Point Research highlighted that healthcare is the most frequently targeted industry by ransomware actors, with global healthcare organizations experiencing an average of 2,018 attacks per week, marking a 32% increase from the previous year. Cindi Carter, Check Point’s CISO for the Americas, warned about the high value of healthcare data to cybercriminals, making it a lucrative target.

In recent attacks on healthcare organizations, Vice Society gained initial access to victims through previous infections with the Gootloader backdoor-loader. They then deployed various tools, including the Supper backdoor, AnyDesk’s remote monitoring and management solution, and MEGA’s data synchronization tool, to facilitate their operations. By using Remote Desktop Protocol and abusing the Windows Management Instrumentation provider host, Vice Society successfully dropped the Inc ransomware on affected networks.

The Inc ransomware-as-a-service (RaaS) operation, active since last summer, has made headlines for compromising large organizations such as Xerox and Scotland’s National Health Service. Jason Baker, a threat intelligence consultant, highlighted the structured approach of Inc affiliates in negotiation processes, distinguishing them from other ransomware groups. Baker compared their tactics to a calculated bank robbery versus a random alley mugging, illustrating the level of sophistication in their attacks.

Recently, Inc ransomware’s encryption keys were leaked, potentially aiding defenders in data recovery efforts. However, Baker warned that the situation is more complex, especially in the healthcare sector. Organizations may opt not to pay a ransom if they can recover data without a decryptor, but the double extortion method still poses threats, especially when sensitive personal health information or intellectual property is involved. This underscores the importance of cybersecurity measures and preparedness in defending against ransomware attacks.

Source link