Microsoft Warns: Vanilla Tempest Hackers Targeting Healthcare Sector

Microsoft has reported that the ransomware group Vanilla Tempest is targeting US healthcare providers using the INC ransomware service. 

The group is gaining initial access to victim systems through third-party infections and then using lateral movement to deploy INC encryption across the network, which highlights the ongoing threat posed by ransomware groups to critical infrastructure sectors like healthcare.

The threat actor Storm-0494 exploited a compromised access point, likely stemming from a Gootloader infection, to gain entry into the victim’s network, and then deployed the Supper backdoor and legitimate tools like AnyDesk and MEGA to establish remote access and facilitate lateral movement. 

Leveraging RDP and the Windows Management Instrumentation Provider Host, the threat actor ultimately deployed the INC ransomware payload, causing significant disruption and data loss.

Even though they disclosed that a healthcare provider was the target of a recent cyberattack, the identity of the particular organization that was attacked has not been disclosed. 

The attacker, likely affiliated with the INC ransomware group, exploited the data synchronization tool MEGASync for data exfiltration. It’s unclear if a ransom demand has been made or if any payment has been received or refused. 

The previous analysis suggests that the attacker might have opted for extortion without encryption, using stolen data as leverage, a tactic commonly employed by the INC group.

The threat actor Vanilla Tempest, also known as DEV-0832 and Vice Society, has been active since June 2021, primarily targeting the education, healthcare, and manufacturing sectors by employing various ransomware families like BlackCat, Quantum Locker, Zeppelin, and Rhysida. 

Their attack methods often involve using PowerShell scripts to infiltrate and compromise systems and they have a history of exploiting vulnerabilities in these sectors and demanding ransom payments to restore encrypted data.

Microsoft has reported a shift in the Vanilla Tempest ransomware group from targeting healthcare organizations to using the INC ransomware-as-a-service platform, which is likely due to INC’s advanced double/triple extortion capabilities, which offer a faster and more reliable method for obtaining a ransom payment. 

By leveraging INC’s tools, Vanilla Tempest can more efficiently extract data, encrypt systems, and threaten to release sensitive information, increasing the pressure on victims to comply with their demands.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here