Summary: Microsoft has identified a financially motivated threat actor named Vanilla Tempest, which is using a ransomware strain called INC to target the U.S. healthcare sector for the first time. This group has been active since at least July 2022 and is linked to various ransomware attacks across multiple sectors.
Threat Actor: Vanilla Tempest | Vanilla Tempest
Victim: Healthcare Sector | healthcare sector
Key Point :
- Vanilla Tempest utilizes a ransomware strain called INC, deploying it after gaining access through GootLoader infections.
- The group has previously targeted various sectors, including education and manufacturing, using multiple ransomware families.
- Threat actors are increasingly using tools like Azure Storage Explorer for data exfiltration to evade detection.
Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.
The tech giant’s threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).
“Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool,” it said in a series of posts shared on X.
In the next step, the attackers proceed to carry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.
The Windows maker said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.
It’s worth noting that the threat actor is also tracked under the name Vice Society, which is known for employing already existing lockers to carry out their attacks, as opposed to building a custom version of their own.
The development comes as ransomware groups like BianLian and Rhysida have been observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in an attempt to evade detection.
“This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage,” modePUSH researcher Britton Manahan said.
Source: https://thehackernews.com/2024/09/microsoft-warns-of-new-inc-ransomware.html