Vanilla Tempest [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], also known as Vice Society and previously tracked as DEV-0832, is a financially motivated threat actor that has recently targeted American healthcare organizations using the INC ransomware strain.
Description
Microsoft’s Threat Intelligence Center (MSTIC) observed Vanilla Tempest receiving hand-offs from Gootloader infections by the threat actor Storm-0494 before deploying tools such as the Supper backdoor [5], AnyDesk [2] [3] [5] [6], and the MEGA data synchronization tool [3] [5] [6]. The threat actor gains initial access through a third-party infection and utilizes legitimate remote tools for data synchronization. They then deploy the INC ransomware [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] payload using techniques like RDP and WMI Provider Host. INC ransomware, a ransomware-as-a-service operation [2] [3] [4] [5] [9], has been active since July 2022 and has targeted public and private organizations [9], including Yamaha Motor Philippines [4] [9], Xerox Business Solutions [4] [9], and Scotland’s National Health Service [4] [8] [9]. The shift to using INC ransomware for healthcare targeting may be due to the double extortion tooling offered by the ransomware-as-a-service operation [1]. Healthcare organizations are prime targets for ransomware attacks due to the high value of data they hold [8]. The structured negotiation process of INC affiliates and the potential for double extortion make them a formidable threat to healthcare organizations [8]. McLaren Health Care [2] [3] [4] [7] [9], a Michigan-based non-profit healthcare system [2] [3], was reported to have been affected by an INC ransomware attack last month [2], causing disruptions and data loss [4]. The expanding threat landscape requires greater collaboration between providers [5], security experts [5], law enforcement [5], government agencies responsible for cybersecurity [5], and ISACs to share threat intelligence and best practices in defending against imminent threats like those posed by Vanilla Tempest targeting vulnerable healthcare services and critical assets.
Conclusion
The impact of Vanilla Tempest’s targeting of healthcare organizations with INC ransomware is significant, as seen in the disruptions and data loss experienced by McLaren Health Care. Mitigating these threats requires enhanced collaboration and information sharing among stakeholders. The future implications of such attacks underscore the need for proactive cybersecurity measures to protect critical assets and services.
References
[1] https://www.csoonline.com/article/3531730/microsoft-warns-of-ransomware-attacks-on-us-healthcare.html
[2] https://www.scmagazine.com/brief/us-healthcare-sector-subjected-to-attacks-with-inc-ransomware
[3] https://www.channele2e.com/brief/us-healthcare-sector-hit-by-inc-ransomware
[4] https://www.medicalbuyer.co.in/vanilla-tempest-targets-us-healthcare-organizations-with-inc-ransomware/
[5] https://www.scmagazine.com/news/vanilla-tempest-leverages-inc-ransomware-to-target-healthcare-sector
[6] https://thehackernews.com/2024/09/microsoft-warns-of-new-inc-ransomware.html
[7] https://cybermaterial.com/vanilla-tempest-targets-us-healthcare-sector/
[8] https://www.darkreading.com/threat-intelligence/vice-society-inc-ransomware-healthcare-attack
[9] https://dailysecurityreview.com/cyber-security/vanilla-tempest-hackers-use-inc-ransomware-to-target-healthcare/
[10] https://cybersecuritynews.com/vanilla-tempest-hackers-healthcare/
