Microsoft published an alert regarding a cybercriminal group known as Vanilla Tempest, which is deploying INC ransomware to attack the U.S. healthcare industry.
INC ransomware, a popular ransomware-as-a-service (RaaS) operation, has gained traction among cybercriminals since its appearance in July 2023. According to Coveware, INC ransomware ranked as the fifth most common ransomware variant in Q2 of 2024. It has primarily been used to target the healthcare, government, and education sectors. Recent attacks on entities covered by HIPAA laws include McLaren Health Care in August 2024 and the National Health Service (NHS) Scotland in May 2024.
The Russian-speaking hacking group, Vanilla Tempest, also referred to as DEV-0832 or Vice Society, has been active since mid-2021. Instead of using its ransomware, the group has a history of deploying various existing ransomware, such as Zeppelin and Hello Kitty/Five Hands. More recently, it has been linked to ransomware attacks that used the Rhysida and BlackCat ransomware variants. Vanilla Tempest is known for its double extortion tactics — steals sensitive information and demands payment for decrypting files and stopping the leakage of the stolen data online.
Although Vanilla Tempest has targeted multiple industries, the group has disproportionately focused attacks on education organizations while also carrying out attacks on healthcare institutions. Based on the Microsoft Threat Intelligence Center (MSTIC), the group has now expanded its operations by using INC ransomware in attacks against the U.S. healthcare industry.
It remains unclear whether Vanilla Tempest is directly collaborating with the INC ransomware group or just using the ransomware variant acquired by other means. Reports from Bleeping Computer suggest a threat actor named “salfetka” had been selling the source code for INC ransomware encryptors on hacking forums for $300,000. Vanilla Tempest likely purchased the encryptor, as they have a history of using leaked source code for other ransomware variants when they conduct attacks.
MSTIC reports that Vanilla Tempest collaborates with the Storm-0494 threat actor to gain initial access to networks. After Storm-0494 has infected a target with the Gootloader malware downloader, Vanilla Tempest gains access to the victim’s network and deploys tools like Supper malware, the MEGA data synchronization tool, and the legitimate AnyDesk remote management tool to move laterally across systems via RDP. After compromising enough devices, they use Windows Management Instrumentation (WMI) to distribute the INC ransomware payload across the system. Microsoft Defender for Endpoint is equipped to detect multiple phases of this ransomware campaign, providing crucial protection against Vanilla Tempest’s activities.
Image credit: MrPanya, Adobestock
