Beware Vanilla Tempest hackers target healthcare sectors, Microsoft alerts

September 20, 2024
1 min read


TLDR:

  • Vanilla Tempest, a ransomware group, is targeting healthcare organizations in the US using a new ransomware strain called “INC.”
  • The attackers use tools like Supper backdoor, AnyDesk, and MEGA to further their attacks, along with ransomware variants like BlackCat, Quantum Locker, Zeppelin, and Rhysida.

Microsoft has warned of the Vanilla Tempest hackers group, a financially motivated cybercriminal group actively attacking the healthcare sector in the United States. The hackers have been observed using a new ransomware strain called “INC” to target healthcare organizations. The attack chain includes initial access by another threat actor named “Storm-0494,” who uses the Gootloader malware to gain entry. Once a foothold is established, control is handed over to Vanilla Tempest, who deploys tools like Supper backdoor, AnyDesk, and MEGA for their attacks.

The attackers leverage lateral movement via RDP and use the Windows Management Service Provider Host to deploy the INC ransomware, which encrypts victims’ files and demands payment for decryption. In addition to INC, Vanilla Tempest has been associated with other ransomware variants like BlackCat, Quantum Locker, Zeppelin, and Rhysida. However, Microsoft Defender for Endpoint is capable of detecting various stages of the attackers’ activities, providing a multi-layered defense against this persistent threat actor.

This complex and collaborative attack chain highlights the sophisticated nature of modern cybercrime operations targeting critical sectors like healthcare. By staying vigilant and using advanced security measures, organizations can protect themselves against threats from groups like Vanilla Tempest.


Latest from Blog

Top 20 Linux Admin Tools for 2024

TLDR: Top Linux Admin Tools in 2024 Key points: Linux admin tools streamline system configurations, performance monitoring, and security management. Popular Linux admin tools include Webmin, Puppet, Zabbix, Nagios, and Ansible. Summary

Bogus job tempts aerospace, energy workers

TLDR: A North Korean cyberespionage group is posing as job recruiters to target employees in aerospace and energy sectors. Mandiant reports that the group uses fake job descriptions stored in malicious archives