Microsoft has announced that a financially motivated threat actor has used a new ransomware variant, INC, to target the healthcare sector in the U.S. for the first time. The company’s threat intelligence team is tracking this activity under the group known as Vanilla Tempest (formerly DEV-0832). Vanilla Tempest begins its attacks by taking over GootLoader infections and then deploys tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool. The operations are carried out based on activities executed by threat actor Storm-0494.
In the next phase of the attack, the threat actors start lateral movement via Remote Desktop Protocol (RDP) and use Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware. Microsoft notes that Vanilla Tempest has been active since at least July 2022 and has previously targeted sectors such as education, healthcare, IT, and manufacturing using ransomware families like BlackCat, Quantum Locker, Zeppelin, and Rhysida.
The threat actor is also known under the name Vice Society. Vice Society is recognized for organizing attacks using existing ransomware variants rather than developing their own versions. Particularly, Vanilla Tempest is observed to target various sectors using this strategy.
Additionally, this development follows an observed trend where other ransomware groups, such as BianLian and Rhysida, have increasingly used tools like Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks. These ransomware groups utilize these tools to transfer large volumes of data to cloud storage to avoid detection.
ModePUSH researcher Britton Manahan noted that these tools, used for managing Azure Storage and its objects, are repurposed by threat actors for large-scale data transfers. The misuse of such tools allows cybercriminals to conduct more complex and extensive data exfiltration activities during their attack processes.