The Information Highway

The Information Highway

Font size: +
2 minutes reading time (361 words)

Microsoft: Vanilla Tempest hackers hit healthcare with INC ransomware

 Microsoft says a ransomware affiliate it tracks as Vanilla Tempest now targets U.S. healthcare organizations in INC ransomware attacks.

INC Ransom is a ransomware-as-a-service (RaaS) operation whose affiliates have targeted public and private organizations since July 2023, including Yamaha Motor Philippines, the U.S. division of Xerox Business Solutions (XBS), and, more recently, Scotland's National Health Service (NHS).

In May 2024, a threat actor called "salfetka" claimed to sell the source code of INC Ransom's Windows and Linux/ESXi encrypter versions for $300,000 on the Exploit and XSS hacking forums. 

Microsoft revealed on Wednesday that its threat analysts have observed the financially motivated Vanilla Tempest threat actor using INC ransomware for the first time in an attack on the U.S. healthcare sector.

During the attack, Vanilla Tempest gained network access through the Storm-0494 threat actor, who infected the victim's systems with the Gootloader malware downloader.

Once inside, the attackers backdoored the systems with Supper malware and deployed the legitimate AnyDesk remote monitoring and MEGA data synchronization tools.

The attackers then moved laterally using Remote Desktop Protocol (RDP) and the Windows Management Instrumentation Provider Host to deploy INC ransomware across the victim's network.

While Microsoft didn't name the victim hit by the Vanilla Tempest-orchestrated INC ransomware healthcare attack, the same ransomware strain was linked to a cyberattack against Michigan's McLaren Health Care hospitals last month.

The attack disrupted IT and phone systems, caused the health system to lose access to patient information databases, and forced it to reschedule some appointments and non-emergent or elective procedures "out of an abundance of caution."

Who is Vanilla Tempest?

Active since at least early June 2021, Vanilla Tempest (previously tracked as DEV-0832 and Vice Society) has frequently targeted sectors, including education, healthcare, IT, and manufacturing, using various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.

While active as Vice Society, the threat actor was known for using multiple ransomware strains during attacks, including Hello Kitty/Five Hands and Zeppelin ransomware.

CheckPoint linked Vice Society with the Rhysida ransomware gang in August 2023, another operation known for targeting healthcare, which tried to sell patient data stolen from Lurie Children's Hospital in Chicago. 

X hacking spree fuels "$HACKED" crypto token pump-...
GitLab releases fix for critical SAML authenticati...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023