Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Microsoft: US Healthcare Sector Targeted by INC Ransomware Affiliate

Microsoft has observed the threat actor Vanilla Tempest targeting US healthcare organizations with INC ransomware.

A threat actor has been observed using the INC (Inc Ransom) ransomware in attacks targeting organizations in the US healthcare sector, Microsoft warns.

A financially motivated cybercrime group that Microsoft tracks as Vanilla Tempest, the threat actor targets systems previously infected with the Gootloader malware, which it uses to expand its foothold on the compromised networks and deploy ransomware.

“Vanilla Tempest receives hand-offs from Gootloader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool,” Microsoft revealed on X (formerly Twitter).

Next, the threat actor was seen abusing the Remote Desktop Protocol (RDP) to move laterally on the victim organization’s network, and employing the Windows Management Instrumentation (WMI) Provider Host to deploy the ransomware payload.

Vanilla Tempest, Microsoft says, has been active for at least two years, mainly targeting entities in the education, healthcare, IT, and manufacturing sectors.

According to available cybersecurity reports, Vanilla Tempest’s activity overlaps with that of Vice Society, which is also tracked as DEV-0832, and which has been active since at least June 2021. In 2022, the US government issued an alert on the group’s attacks on the US education sector.

Although it uses multiple ransomware families in attacks, Vice Society is likely associated with the Rhysida ransomware gang, according to a Check Point report last year.

Previously, the threat actor was observed using various ransomware families in its attacks, including BlackCat, Rhysida, Quantum Locker, and Zeppelin.

Advertisement. Scroll to continue reading.

The INC ransomware Vanilla Tempest has been deploying in recent attacks has been active for roughly a year, being offered under a ransomware-as-a-service (RaaS) model, which suggests that Vanilla Tempest is only an affiliate.

Previously, INC ransomware affiliates have claimed responsibility for cyberattacks on Access Sports, Xerox Business Solutions US, and Yamaha Motor Philippines.

Related: Ransomware Group Leaks Data Allegedly Stolen From Kawasaki Motors

Related: City of Columbus Sues Researcher Who Disclosed Impact of Ransomware Attack

Related: Indianapolis Low-Income Housing Agency Hit by Ransomware

Related: Ransomware Attack Hits PNG Finance Ministry

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.