A recent report from Microsoft reveals that a ransomware affiliate known as Vanilla Tempest has been observed using the INC ransomware to target U.S. healthcare organizations. This marks a significant escalation in the threat posed by this group, which has previously targeted various sectors, including education, IT, and manufacturing.
INC Ransomware: A Growing Threat to Healthcare
INC ransomware, a ransomware-as-a-service (RaaS) operation, has been active since July 2023 and has targeted both public and private organizations. Notable victims include Yamaha Motor Philippines, Xerox Business Solutions (XBS), and Scotland’s National Health Service (NHS).
In May 2024, a threat actor known as “salfetka” offered the source code for INC Ransomware’s Windows and Linux/ESXi encrypter versions for sale on the Exploit and XSS hacking forums for a hefty $300,000.
Vanilla Tempest: A Multifaceted Threat Actor
Active since at least early June 2021, Vanilla Tempest, previously tracked as DEV-0832 and Vice Society, has a history of targeting various sectors with a variety of ransomware strains.
They have been linked to attacks using BlackCat, Quantum Locker, Zeppelin, and Rhysida ransomware. During their time as Vice Society, they were known for using multiple ransomware strains simultaneously, including Hello Kitty/Five Hands and Zeppelin ransomware.
Interestingly, CheckPoint has linked the Vice Society group to the Rhysida ransomware gang, another operation known for targeting the healthcare sector and attempting to sell stolen patient data, as seen in the case of Lurie Children’s Hospital in Chicago.
The Attack: A Multi-Stage Operation
Microsoft’s threat analysts have observed Vanilla Tempest using INC ransomware in a multi-stage attack on a U.S. healthcare organization. The attack began with the Storm-0494 threat actor infecting the victim’s systems with the Gootloader malware downloader. Gootloader, a notorious malware downloader, is often used to deliver other malicious payloads, including ransomware.
Once inside the network, the attackers used Gootloader to deploy the Supper malware, a backdoor that allows them to maintain persistent access to the compromised system. The attackers then deployed legitimate tools like AnyDesk, a remote monitoring tool, and MEGA, a data synchronization service, to further their operations.
The attackers then used Remote Desktop Protocol (RDP) and the Windows Management Instrumentation Provider Host to move laterally within the network, ultimately deploying INC ransomware across the victim’s network.
The Impact: Disruption and Data Loss
While Microsoft did not disclose the name of the healthcare organization targeted in this attack, the same INC ransomware strain was linked to a cyberattack against Michigan’s McLaren Health Care hospitals in August 2024. This attack caused significant disruption to IT and phone systems, forcing the health system to lose access to patient information databases and reschedule appointments and procedures.
This attack highlights the growing threat of ransomware attacks against healthcare organizations. These attacks can have devastating consequences, disrupting patient care, compromising sensitive patient data, and causing significant financial losses.
