Microsoft has issued a warning to the US healthcare sector about a new ransomware threat posed by the notorious cybercriminal group Vanilla Tempest, also known as Vice Society.
This group, active since mid-2022, has now begun deploying a previously unseen ransomware strain called “INC” to target vulnerable healthcare organizations in the US.
Microsoft’s latest findings, shared through an X (formerly Twitter) thread, reveal that Vanilla Tempest is continuing to evolve its tactics, aiming for high-impact targets in sensitive industries.
With healthcare being one of the sectors most at risk, the situation demands urgent attention.
How Vanilla Tempest Operates
Vanilla Tempest has developed a reputation for using a wide variety of ransomware encryptors. The group is now using INC ransomware to maximize its disruptive potential in the healthcare sector.
However, before deploying this strain, the group first receives initial infection through Gootloader, which is delivered by another cybercriminal entity identified as Storm-0494.
Once this initial infection takes place, Vanilla Tempest uses various tools to maintain access and spread through the targeted organization.
Some of the tools and software involved include remote access utilities like AnyDesk, file-sharing platforms such as MEGA, and Supper, a lesser-known but potentially dangerous malware.
The group uses the Remote Desktop Protocol (RDP) to move laterally across the network, allowing them to access more devices within the organization.
Additionally, they utilize Windows Management Instrumentation (WMI) to deploy the INC ransomware efficiently across the compromised systems.
Impact on Healthcare Sector
While Microsoft has yet to disclose which specific healthcare organizations have been targeted or the extent of the damage, ransomware attacks on healthcare facilities typically result in significant consequences.
When healthcare organizations fall victim to ransomware, they not only risk the loss of highly sensitive patient information but may also be forced to pay enormous ransoms to recover their systems.
These attacks can disrupt critical healthcare services and leave patients’ personal data vulnerable to exposure.
The healthcare sector has long been a prime target for cybercriminals due to the immense value of medical data.
Patient records, which often contain private information such as medical histories, insurance details, and financial information, are sold at high prices on the dark web.
In addition to data theft, healthcare providers may face legal and financial repercussions if they are unable to protect this information adequately.
Vanilla Tempest’s Track Record
Vanilla Tempest has a well-established history of targeting high-value sectors such as education, IT, and manufacturing, in addition to healthcare.
The group’s tendency to switch between different ransomware strains distinguishes it from other cybercriminal entities.
In previous attacks, Vanilla Tempest has deployed ransomware strains like BlackCat, Quantum Locker, Zeppelin, and Rhysida.
This isn’t the first time Microsoft has sounded the alarm on Vanilla Tempest. Back in October 2022, the tech giant flagged the group for launching attacks on US schools.
In some cases, the group skipped encrypting files entirely, focusing instead on stealing data and threatening to leak it unless ransoms were paid.
One of the group’s high-profile victims was the Los Angeles Unified School District (LAUSD), which suffered a significant data breach after negotiations with the attackers broke down.
Another victim was IKEA, which had to shut down parts of its infrastructure in Morocco and Kuwait in late 2022 due to an attack by Vanilla Tempest.
Ongoing Threat
The identity of the individuals behind Vanilla Tempest remains unknown, but their evolving tactics and relentless targeting of critical sectors make them a serious threat.
While law enforcement agencies are working to identify and apprehend these hackers, the group continues to operate with impunity.
Microsoft’s warning to the healthcare sector underscores the urgent need for organizations to bolster their cybersecurity defenses.
Ransomware groups like Vanilla Tempest are becoming more sophisticated, and the consequences of falling victim to such attacks can be devastating, especially for critical services like healthcare.