Analysis Summary

According to Microsoft, a ransomware affiliate known as Vanilla Tempest is currently focusing its operations on healthcare companies in the United States with INC ransomware.

Since July 2023, Yamaha Motor Philippines, the American branch of Xerox Business Solutions (XBS), and, more recently, Scotland's National Health Service (NHS), have been the targets of INC Ransom, a ransomware-as-a-service (RaaS) operation whose affiliates have targeted both public and commercial entities.

On dark web forums in May 2024, a threat actor claimed that they could sell the source code for the Windows and Linux/ESXi encryptor versions of INC Ransom for $300,000. Microsoft announced on Wednesday that its security experts had seen the financially motivated Vanilla Tempest threat actor strike the US healthcare industry with INC ransomware for the first time. The GootLoader malware downloader was used by the Storm-0494 threat actor to infect the victim's systems, giving Vanilla Tempest access to the network during the attack.

After gaining access, the attackers used the genuine AnyDesk remote monitoring and MEGA data synchronization capabilities to backdoor the systems using Supper malware. Then, employing Windows Management Instrumentation Provider Host and Remote Desktop Protocol (RDP), the attackers moved laterally, spreading INC ransomware throughout the victim's network.

The same ransomware strain was connected to a cyberattack against Michigan's McLaren Health Care hospitals last month, while Microsoft did not identify the target of the INC ransomware healthcare attack orchestrated by Vanilla Tempest. The attack led the health system to lose access to patient information databases, disrupted phone and IT systems, and, in an attempt to be extra cautious, prompted it to reschedule some appointments and non-emergent or elective treatments.

Active since at least early June 2021, Vanilla Tempest (formerly known as DEV-0832 and Vice Society) has repeatedly used a variety of ransomware strains, including BlackCat, Quantum Locker, Zeppelin, and Rhysida, to target industries, including manufacturing, IT, healthcare, and education. The threat actor was well-known for employing several ransomware strains in their attacks while operating under the alias Vice Society, including Zeppelin and Hello Kitty/Five Hands.

Impact

• Financial Loss
• Operational Disruption
• Unauthorized Access
• Data Loss

Remediation

• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups - In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.