TLDR:
- Vanilla Tempest, a ransomware group, is targeting healthcare organizations in the US using a new ransomware strain called “INC.”
- The attackers use tools like Supper backdoor, AnyDesk, and MEGA to further their attacks, along with ransomware variants like BlackCat, Quantum Locker, Zeppelin, and Rhysida.
Microsoft has warned of the Vanilla Tempest hackers group, a financially motivated cybercriminal group actively attacking the healthcare sector in the United States. The hackers have been observed using a new ransomware strain called “INC” to target healthcare organizations. The attack chain includes initial access by another threat actor named “Storm-0494,” who uses the Gootloader malware to gain entry. Once a foothold is established, control is handed over to Vanilla Tempest, who deploys tools like Supper backdoor, AnyDesk, and MEGA for their attacks.
The attackers leverage lateral movement via RDP and use the Windows Management Service Provider Host to deploy the INC ransomware, which encrypts victims’ files and demands payment for decryption. In addition to INC, Vanilla Tempest has been associated with other ransomware variants like BlackCat, Quantum Locker, Zeppelin, and Rhysida. However, Microsoft Defender for Endpoint is capable of detecting various stages of the attackers’ activities, providing a multi-layered defense against this persistent threat actor.
This complex and collaborative attack chain highlights the sophisticated nature of modern cybercrime operations targeting critical sectors like healthcare. By staying vigilant and using advanced security measures, organizations can protect themselves against threats from groups like Vanilla Tempest.