Cyber Security News

Microsoft Warns Of Vanilla Tempest Hackers Attacking Healthcare Sector

Microsoft has identified a new attack vector employed by the financially motivated threat actor Vanilla Tempest.

This actor has been observed leveraging the INC ransomware to target healthcare organizations within the United States. 

Specifically, Vanilla Tempest is exploiting vulnerabilities in healthcare systems to deploy INC ransomware.

This malware encrypts sensitive data and demands a ransom payment for decryption, which poses a significant threat to the continuity of healthcare services and patient privacy.

The ransomware group Vanilla Tempest, formerly known as DEV-0832 and Vice Society, has been active since at least early 2021 and has targeted various sectors, including education, healthcare, IT, and manufacturing, using multiple ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida. 

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

As Vice Society, they were known for using Hello Kitty/Five Hands and Zeppelin ransomware.

In August 2023, CheckPoint linked Vice Society to the Rhysida ransomware gang, also known for targeting healthcare, to sell patient data stolen from Lurie Children’s Hospital in Chicago.

They had identified Vanilla Tempest, a ransomware affiliate, as targeting U.S. healthcare organizations with INC Ransomware attacks.

These attacks have been active since July 2023 and have compromised various organizations, including Yamaha Motor Philippines, Xerox Business Solutions, and the NHS. 

In May 2024, a threat actor attempted to sell the source code of INC Ransom’s Windows and Linux/ESXi encryption versions on a hacking forum, indicating a potential for further proliferation and customization of the ransomware.

Microsoft reported that Vanilla Tempest, a financially motivated threat actor, has used INC ransomware to attack the U.S. healthcare sector.

The attackers gained access through Storm-0494, which infected the victim’s systems with Gootloader. 

Once inside, they backdoored the systems with Supper malware and deployed legitimate tools, AnyDesk and MEGA.

This highlights the increasing sophistication of cyber threats and the need for robust security measures in the healthcare industry.

The attackers used RDP and WMI tools to spread the INC ransomware throughout the victim’s network. 

The ransomware disrupted IT and phone systems, compromised patient information databases, and forced the healthcare system to reschedule appointments and procedures, similar to the recent cyberattack against Michigan’s McLaren Health Care hospitals, which also used the INC ransomware strain.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Indonesia Government Data Breach – Hackers Leaked 82 GB of Sensitve Data Online

Hackers have reportedly infiltrated and extracted a vast 82 GB of sensitive data from the Indonesian…

38 seconds ago

IBM AIX TCP/IP Vulnerability Lets Attackers Exploit to Launch Denial of Service Attack

IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…

1 hour ago

Apache Auth-Bypass Vulnerability Lets Attackers Gain Control Over HugeGraph-Server

The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…

2 hours ago

USA Launched Cyber Attack on Chinese Technology Firms

The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…

2 hours ago

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago