A threat actor has been observed using the INC (Inc Ransom) ransomware in attacks targeting organizations in the US healthcare sector, Microsoft warns.
A financially motivated cybercrime group that Microsoft tracks as Vanilla Tempest, the threat actor targets systems previously infected with the Gootloader malware, which it uses to expand its foothold on the compromised networks and deploy ransomware.
“Vanilla Tempest receives hand-offs from Gootloader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool,” Microsoft revealed on X (formerly Twitter).
Next, the threat actor was seen abusing the Remote Desktop Protocol (RDP) to move laterally on the victim organization’s network, and employing the Windows Management Instrumentation (WMI) Provider Host to deploy the ransomware payload.
Vanilla Tempest, Microsoft says, has been active for at least two years, mainly targeting entities in the education, healthcare, IT, and manufacturing sectors.
According to available cybersecurity reports, Vanilla Tempest’s activity overlaps with that of Vice Society, which is also tracked as DEV-0832, and which has been active since at least June 2021. In 2022, the US government issued an alert on the group’s attacks on the US education sector.
Although it uses multiple ransomware families in attacks, Vice Society is likely associated with the Rhysida ransomware gang, according to a Check Point report last year.
Previously, the threat actor was observed using various ransomware families in its attacks, including BlackCat, Rhysida, Quantum Locker, and Zeppelin.
The INC ransomware Vanilla Tempest has been deploying in recent attacks has been active for roughly a year, being offered under a ransomware-as-a-service (RaaS) model, which suggests that Vanilla Tempest is only an affiliate.
Previously, INC ransomware affiliates have claimed responsibility for cyberattacks on Access Sports, Xerox Business Solutions US, and Yamaha Motor Philippines.
Related: Ransomware Group Leaks Data Allegedly Stolen From Kawasaki Motors
Related: City of Columbus Sues Researcher Who Disclosed Impact of Ransomware Attack
Related: Indianapolis Low-Income Housing Agency Hit by Ransomware