Fraud Management & Cybercrime , Healthcare , Industry Specific

'Vanilla Tempest' Now Using INC Ransomware in Health Sector

Microsoft: Ransomware-as-a-Service Group Keeps Shifting Malware to Avoid Detection
'Vanilla Tempest' Now Using INC Ransomware in Health Sector
Image: Getty Images

Threat actors tracked as "Vanilla Tempest" - and also known as Vice Society - appear to be changing up the ransomware they use to attack on U.S. healthcare organizations. Likely in a move to avoid detection, the ransomware-as-a-service group has now shifted to INC Ransom malware, according to Microsoft Threat Intelligence.

See Also: Gartner Guide for Digital Forensics and Incident Response

Vanilla Tempest - which Microsoft Threat Intelligence tracks as DEV-0832 has used at least five other malware strains since it debuted on the cybercrime market in 2022, now using malware from Russian-speaking INC Ransom. Microsoft believes the changes are aimed at avoiding detection and maximizing extortion demands through disruption and "exfiltrating data for extortion."

"We have observed the actor's ransomware payload change over time as the group shifted from BlackCat, Quantum Locker, Zeppelin, and a Vice Society-branded variant of the Zeppelin ransomware, to Rhysida, and as of August 2024, INC ransomware," said Sherrod DeGrippo, director of Microsoft threat intelligence strategy, in a statement to Information Security Media Group.

Affiliates of ransomware-as-a-service group INC Ransom have attacked organizations in a variety of sectors since the middle of 2023. Vanilla Tempest affiliates appear to be the latest to join that fray.

In August, INC Ransom threat actors claimed credit for an attack on Michigan-based McLaren Health Care, which experienced widespread IT disruptions for several weeks but has since recovered. While the hospital group did not comment on the attackers, a photo taken by a McLaren worker and posted on X, formerly Twitter, showed an INC Ransom ransom note (see: McLaren Health Hit With Ransomware for Second Time in a Year).

"Ransomware is an ecosystem, where various groups supply things like infrastructure, tooling, code, etc. When these groups change or disband, the ransomware supply chain experiences disruption and may require various groups to make changes to their campaigns," DeGrippo said.

"Unfortunately, we have seen a disproportionate impact to the education section in the United States by Vanilla Tempest. This includes campaigns we have tracked starting in July 2022. They tend to conduct attacks that have a high likelihood of success. We’ve also seen this threat actor target hospitals in the U.S. and local governments to a lesser extent," he said.

Before ransomware deployment, Vanilla Tempest relies on tactics commonly used by other ransomware actors, including the use of PowerShell scripts and repurposed legitimate tools, he said. Vanilla Tempest also leverages exploits for publicly disclosed vulnerabilities for initial access and post-compromise elevation of privilege.

"They also have been observed using backdoor malware like SystemBC, PortStarter and Supper," he said.

Microsoft Threat Intelligence, in a Sept. 18 post on X, said that Vanilla Tempest receives handoffs from Gootloader infections by the threat actor Storm-0494 before deploying tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management tool and the MEGA data synchronization tool.

"The threat actor then performs lateral movement through Remote Desktop Protocol and uses the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload," Microsoft said.

To defend against these attacks at a hospital or any other organization, cyber defenders should "focus on resilience to ransomware events," DeGrippo said.

Rise in Attacks

Ransomware attacks on healthcare organizations are indeed continuing to surge, even as they appear to be decreasing in many other sectors, said security vendor Sophos in a new report released Thursday (see: Sophos: Attacks Drop in Nearly All Sectors But Healthcare).

That's a trend seen by other researchers as well. About 91% of healthcare breaches so far in 2024 have involved ransomware, according to a report by security firm SonicWall released on Thursday.

Those ransomware breaches affected about 14 million patients so far this year, SonicWall said.

The Sophos study of 5,000 IT leaders across 15 sectors found that healthcare was second-most-likely to pay more than the original ransom demanded by attackers. Higher education had the highest tendency to pay more.

Sophos researchers said that organizations often end up paying higher extortion demands when their backup data is encrypted as part of the attacks. Entities in healthcare and higher education "may have a greater need to recover the data 'at any cost' due to their public remit," Sophos said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.