According to Microsoft a financially motivated threat actor was detected using a ransomware strain called INC for the first time to target the U.S. healthcare sector.
The tech giant’s threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).
“Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool,” the company stated in a series of posts shared on X.
Next, the attackers carry out lateral movement through Remote Desktop Protocol (RDP) and use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.
Who is Vanilla Tempest?
Active since at least early June 2021, Vanilla Tempest (formerly tracked as DEV-0832 and Vice Society) has consistently targeted sectors such as education, healthcare, IT, and manufacturing, utilising various ransomware strains including BlackCat, Quantum Locker, Zeppelin, and Rhysida.
While operating as Vice Society, the threat actor was recognised for employing multiple ransomware strains in their attacks, including Hello Kitty/Five Hands and Zeppelin.
In August 2023, CheckPoint connected Vice Society to the Rhysida ransomware gang, another operation known for targeting healthcare, which attempted to sell patient data stolen from Lurie Children’s Hospital in Chicago.
Microsoft indicated that Vanilla Tempest has been active since at least July 2022, with previous attacks targeting sectors such as education, healthcare, IT, and manufacturing, utilizing various ransomware families including BlackCat, Quantum Locker, Zeppelin, and Rhysida.
The the threat actor was also tracked under the name Vice Society, known for using existing lockers to conduct their attacks rather than creating custom versions.
The development comes as ransomware groups like BianLian and Rhysida have increasingly used Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in an effort to evade detection.
“This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage,” said modePUSH researcher Britton Manahan.
INC Ransom is a ransomware-as-a-service (RaaS) operation that has targeted both public and private organisations since July 2023, including Yamaha Motor Philippines, the U.S. division of Xerox Business Solutions (XBS), and more recently, Scotland’s National Health Service (NHS).
In May 2024, a threat actor named “salfetka” announced on the Exploit and XSS hacking forums that they were selling the source code for INC Ransom’s Windows and Linux/ESXi encryptor versions for $300,000.
Earlier this year MediSecure, an electronic prescriptions provider revealed 12.9 million people, or almost half of the whole country, had 6.5 terabytes of data containing their personal and health information stolen by hackers in one of the biggest data breaches in Australia’s history.
