Microsoft has reported that a ransomware group known as Vanilla Tempest has begun targeting healthcare organizations using a new strain of ransomware called INC Ransom.
This ransomware-as-a-service (RaaS) operation has been active since July 2023, attacking various public and private entities, including Yamaha Motor Philippines and the U.S. branch of Xerox Business Solutions, as well as Scotland’s National Health Service.
In May 2024, an individual under the alias “salfetka” attempted to sell the source code for INC Ransom’s Windows and Linux/ESXi encryption versions for $300,000 on hacking forums. Microsoft’s analysts recently observed Vanilla Tempest deploying INC ransomware in an attack on the U.S. healthcare sector for the first time.
The attackers gained access to the targeted network through another group, Storm-0494, by infecting the victim’s systems with the Gootloader malware downloader. Once inside, they used a custom malware called Supper and legitimate tools like AnyDesk and MEGA to backdoor the systems. They then spread the ransomware across the network using Remote Desktop Protocol (RDP) and Windows Management Instrumentation Provider Host.
Although the specific victim of this attack remains unnamed, similar ransomware activity disrupted operations at Michigan’s McLaren Health Care hospitals, impacting IT and phone systems and causing delays in patient care.
Vanilla Tempest, which has been active since at least June 2021, was previously identified as DEV-0832 and Vice Society. This group has targeted various sectors, including education, healthcare, and IT, using different ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.
The group has also been associated with Vice Society, which was known for using multiple ransomware variants in their attacks, including Hello Kitty/Five Hands and Zeppelin.
In August 2023, Vice Society was linked to the Rhysida ransomware gang, which was implicated in an attack on Lurie Children’s Hospital in Chicago, attempting to sell stolen patient data. This connection highlights a troubling trend of healthcare organizations being repeatedly targeted by ransomware operators seeking to exploit sensitive data.
To reduce the risk of such attacks, healthcare organizations should implement robust cybersecurity measures, including regular software updates, multi-factor authentication, and employee training on phishing prevention.
Network segmentation and using endpoint detection and response (EDR) tools can also help limit the damage if an intrusion occurs. Partnering with cybersecurity experts to conduct regular vulnerability assessments can further bolster defenses against sophisticated threats like INC ransomware.