Vanilla Tempest, a ransomware group also known as Vice Society, has been spotted deploying the INC ransomware strain for the first time to target the US healthcare sector.
This is according to Microsoft cybersecurity researchers, who recently detailed their latest findings in an X.
In the thread, the company said that Vanilla Tempest first receives protection against Gootloader infections from Storm-0494, before deploying different programs and malware, including Supper, AnyDesk, MEGA, and others.
Society of vice
The group uses Remote Desktop Protocol (RDP) for lateral movement and Windows Management Instrumentation Provider Host to deploy the INC ransomware.
Unfortunately, Microsoft did not say which organizations Vanilla Tempest attacked or how successful it was. Ransomware attacks against healthcare companies typically result in the leak of highly sensitive medical data, as well as potentially dizzying payouts.
Vanilla Tempest, or Vice Society, is a threat actor that has been active since mid-2022. It typically targets the education, healthcare, IT, and manufacturing sectors and is known for frequently switching between different encryptors. While affiliates typically stick to one or two encryptors, Vanilla Tempest was observed using BlackCat, Quantum Locker, Zeppelin, Rhysida, and others.
In October 2022, Microsoft warned about Vanilla Tempest, saying it was known for exchanging ransomware payloads while attacking schools in the United States. In some cases, Microsoft added, the group skips the encryption part entirely and simply steals the data.
Among its victims are the Swedish furniture company IKEA, as well as the Los Angeles Unified School District (LAUSD). IKEA fell victim in late November 2022, when its stores in Morocco and Kuwait were forced to shut down parts of their infrastructure. A few months earlier, the LAUSD attempted to negotiate with the group to keep the stolen sensitive data private, but the negotiations failed.
“Unfortunately, as expected, a criminal organization recently released data,” LAUSD said shortly afterward. “In collaboration with law enforcement, our experts are analyzing the full scope of this data release.”
The identity of the hackers remains unknown to this day.
Through Hacker News
