Microsoft warns of ransomware attacks on US healthcare

Ransomware group Vanilla Tempest is targeting US healthcare providers using the INC ransomware service, according to Microsoft.

“Microsoft observed the financially motivated threat actor tracked as Vanilla Tempest using INC ransomware for the first time to target the healthcare sector in the United States,” Microsoft said in an X post.

The threat actor borrowed initial access from a third-party infection to effect lateral movement within the victim system and place INC encryption on their network.

Initial Access through Gootloader infection

The threat actor used a compromised access into the victims’ systems, which was reportedly borrowed from a Gootloader infection, to establish and maintain remote access to their network and deploy INC ransomware.

“Vanilla Tempest receives hand-offs from Gootloader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool,” Microsoft said. “The threat actor then performs lateral movement through Remote Desktop Protocol (RDP) and uses the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload.”

Microsoft refrained from naming the healthcare provider(s) targeted in this attack. It is also unclear if the threat actor has made any ransom demands to date and received or were denied any payment. Queries sent to Microsoft were not responded to until the publishing of this article.

However, it is quite possible, from the use of the data synchronization tool MEGASync, that the threat actor went straight after extortion without making any encryption at all. The tool is used by the affiliates for data exfiltration and is part of the INC ransomware kit. “In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data,” Microsoft has said in an Oct 2022 blog.

A frequent public sector offender

Vanilla Tempest, also tracked as DEV-0832 and Vice Society, is a known offender of the education and healthcare sector. Additionally, the threat actor was often observed targeting the manufacturing industry.

Active since June 2021, the group has used multiple ransomware families, including BlackCat, Quantum Locker, Zeppelin, and Rhysida, and typically uses PowerShell scripts in their attacks.

Microsoft noted Vanilla Tempest shifting to INC ransomware for healthcare targeting. This could be attributed to the fact that INC ransomware-as-a-service (RaaS) is stacked with double/triple extortion tooling, and Vanilla Tempest is simply seeking a quicker and guaranteed payday.

There are noticeable similarities between Vice Society and the Rhysida ransomware group, indicating a possible connection or even a rebranding effort. Earlier this week, the Port of Seattle confirmed Rhysida ransomware was behind an August 2024 cyberattack on their systems.