Microsoft Warns Of Vanilla Tempest Hackers Attacking Healthcare Sector

Microsoft has identified a new attack vector employed by the financially motivated threat actor Vanilla Tempest.

This actor has been observed leveraging the INC ransomware to target healthcare organizations within the United States. 

Specifically, Vanilla Tempest is exploiting vulnerabilities in healthcare systems to deploy INC ransomware.

This malware encrypts sensitive data and demands a ransom payment for decryption, which poses a significant threat to the continuity of healthcare services and patient privacy.

The ransomware group Vanilla Tempest, formerly known as DEV-0832 and Vice Society, has been active since at least early 2021 and has targeted various sectors, including education, healthcare, IT, and manufacturing, using multiple ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida. 

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

As Vice Society, they were known for using Hello Kitty/Five Hands and Zeppelin ransomware.

In August 2023, CheckPoint linked Vice Society to the Rhysida ransomware gang, also known for targeting healthcare, to sell patient data stolen from Lurie Children’s Hospital in Chicago.

They had identified Vanilla Tempest, a ransomware affiliate, as targeting U.S. healthcare organizations with INC Ransomware attacks.

These attacks have been active since July 2023 and have compromised various organizations, including Yamaha Motor Philippines, Xerox Business Solutions, and the NHS. 

In May 2024, a threat actor attempted to sell the source code of INC Ransom’s Windows and Linux/ESXi encryption versions on a hacking forum, indicating a potential for further proliferation and customization of the ransomware.

Microsoft reported that Vanilla Tempest, a financially motivated threat actor, has used INC ransomware to attack the U.S. healthcare sector.

The attackers gained access through Storm-0494, which infected the victim’s systems with Gootloader. 

Once inside, they backdoored the systems with Supper malware and deployed legitimate tools, AnyDesk and MEGA.

This highlights the increasing sophistication of cyber threats and the need for robust security measures in the healthcare industry.

The attackers used RDP and WMI tools to spread the INC ransomware throughout the victim’s network. 

The ransomware disrupted IT and phone systems, compromised patient information databases, and forced the healthcare system to reschedule appointments and procedures, similar to the recent cyberattack against Michigan’s McLaren Health Care hospitals, which also used the INC ransomware strain.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free