Vanilla Tempest (Vice Society) Threat Group Using INC Ransomware to Attack Healthcare Orgs
Microsoft has issued a warning about a threat group it tracks as Vanilla Tempest, which has been observed using INC ransomware to target the United States healthcare sector for the first time.
INC ransomware is a ransomware-as-a-service (RaaS) operation that has proven popular with cybercriminals. In Q2, 2024, INC ransomware was the joint 5th most common ransomware variant, according to Coveware. INC ransomware emerged in July 2023 and primarily attacks the healthcare, education, and government sectors. INC ransomware has been used in recent attacks on National Health Service (NHS) Scotland (May 2024) and McLaren Health Care (Aug 2024).
Vanilla Tempest (aka DEV-0832, Vice Society) is a Russian-speaking threat group that has been active since the summer of 2021. Rather than using its own unique encryptor, Vanilla Tempest has deployed versions of other ransomware variants including Hello Kitty/Five Hands and Zeppelin. Latterly, the group has also conducted attacks using the Blackcat and Rhysida ransomware variants. The group engages in double extortion, stealing sensitive data and demanding payment to decrypt files and prevent the stolen data from being published online.
Vanilla Tempest has attacked multiple sectors, and while disproportionately attacking the education sector, is known to have conducted several attacks on healthcare organizations. According to the Microsoft Threat Intelligence Center (MSTIC), Vanilla Tempest is now leveraging INC ransomware to conduct attacks on the healthcare sector in the United States.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
What is not clear is whether Vanilla Tempest is working with the INC ransomware group or is simply using a variant of INC ransomware that it has obtained through other means. Bleeping Computer reports that a threat actor called salfetka was offering the source code of the INC ransomware encryptors for Windows and Linux/ESXi on hacking forums for $300,000, so Vanilla Tempest may have purchased the encryptor. The group has acted in a similar way in the past and has used the leaked source code for other ransomware variants in its attacks.
MSTIC reports that Vanilla Tempest works with the Storm-0494 threat actor for initial access, attacking targets that Storm-0494 has infected with the Gootloader malware downloader. Once access is gained to a victim’s network, the group uses Supper malware, the legitimate AnyDesk remote monitoring and management tool, and the MEGA data synchronization tool. The group moves laterally within networks through Remote Desktop Protocol (RDP), and when enough devices have been compromised, the Windows Management Instrumentation Provider Host is used to deploy the INC ransomware payload across the network. MSTIC said on X that Microsoft Defender for Endpoint detects multiple stages of the Vanilla Tempest INC ransomware activity identified in this campaign.
