September 19, 2024 at 02:45PM
Microsoft has reported that the ransomware affiliate Vanilla Tempest is now targeting U.S. healthcare organizations, using the INC ransomware. Vanilla Tempest gained network access by deploying malware and backdooring systems, leading to disruptions in IT and phone systems and causing loss of patient information. Vanilla Tempest has a history of targeting various sectors with different ransomware strains.
From the meeting notes:
– Microsoft has identified the ransomware affiliate Vanilla Tempest (previously tracked as DEV-0832 and Vice Society) targeting U.S. healthcare organizations using the INC ransomware.
– The INC Ransom is a ransomware-as-a-service (RaaS) operation that has targeted various public and private organizations since July 2023.
– In May 2024, a threat actor, “salfetka,” offered to sell the source code of INC Ransom’s Windows and Linux/ESXi encrypter versions for $300,000 on hacking forums.
– Vanilla Tempest gained network access through the Storm-0494 threat actor and infected systems with the Gootloader malware downloader.
– After gaining access, the attackers backdoored systems with Supper malware and deployed legitimate tools like AnyDesk and MEGA for monitoring and data synchronization.
– The attackers moved laterally using Remote Desktop Protocol (RDP) and the Windows Management Instrumentation Provider Host to deploy INC ransomware across the victim’s network.
– While the specific victim of the Vanilla Tempest-orchestrated INC ransomware healthcare attack wasn’t named, a similar ransomware strain was used in a cyberattack against Michigan’s McLaren Health Care hospitals last month.
Additionally, information pertaining to Vanilla Tempest includes:
– Vanilla Tempest has been active since at least early June 2021 and has targeted sectors such as education, healthcare, IT, and manufacturing using various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.
– Previously tracked as Vice Society, the threat actor was known for using multiple ransomware strains during attacks, including Hello Kitty/Five Hands and Zeppelin ransomware.
– CheckPoint linked Vice Society with the Rhysida ransomware gang in August 2023, known for targeting healthcare and attempting to sell patient data stolen from Lurie Children’s Hospital in Chicago.
Please let me know if you need any further details or follow-up on the meeting notes.