In a recent development, Microsoft has disclosed that a financially motivated threat actor has been identified using a ransomware strain called INC to target the healthcare sector in the United States. This marks the first instance of the ransomware being deployed in such attacks, raising concerns about the potential impact on critical systems and sensitive data.
The threat actor responsible for these activities has been dubbed Vanilla Tempest by Microsoft’s threat intelligence team, previously known as DEV-0832. According to reports, Vanilla Tempest is leveraging a multi-stage attack chain, receiving hand-offs from GootLoader infections orchestrated by the threat actor Storm-0494. Subsequently, the attackers deploy a series of tools including the Supper backdoor, the legitimate AnyDesk remote monitoring and management tool, and the MEGA data synchronization tool to facilitate their malicious activities.
Following the initial infiltration, the threat actors pivot to lateral movement through Remote Desktop Protocol (RDP) and utilize the Windows Management Instrumentation (WMI) Provider Host to deliver the INC ransomware payload. This strategic approach enables the attackers to maximize their impact and encrypt critical data across targeted networks, generating financial gain through ransom demands.
Microsoft has indicated that Vanilla Tempest has been active since at least July 2022, with previous attacks spanning various sectors including education, healthcare, IT, and manufacturing. The threat actor has employed a range of ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida in previous campaigns, showcasing the diverse tactics employed to achieve their objectives.
Furthermore, the threat actor associated with Vanilla Tempest is also known as Vice Society, a group recognized for utilizing pre-existing lockers rather than developing custom ransomware variants. This distinction sets Vice Society apart in the threat landscape, showcasing a preference for leveraging established tools to carry out attacks with efficiency and effectiveness.
The emergence of Vanilla Tempest and its use of the INC ransomware underscores the evolving nature of cyber threats facing organizations, particularly in the healthcare sector where the protection of sensitive patient data is paramount. With ransomware groups like BianLian and Rhysida increasingly utilizing cloud-based tools such as Azure Storage Explorer and AzCopy for data exfiltration, the need for advanced security measures to detect and prevent such attacks has never been more critical.
As researchers and security experts continue to monitor the activities of threat actors like Vanilla Tempest and Vice Society, it is essential for organizations to enhance their cybersecurity defenses and implement robust incident response plans to mitigate the potential impact of ransomware attacks. By staying vigilant and proactive in addressing emerging threats, businesses can safeguard their critical assets and minimize the risk of falling victim to malicious actors in the digital landscape.
Serbian 
English 
Albanian 
Croatian 