Microsoft Alerts About Fresh INC Ransomware Targeting U.S. Healthcare Industry
Microsoft has disclosed that a financially driven threat actor has been identified deploying a ransomware variant known as INC to specifically target the healthcare industry in the United States.
The large technology company’s threat intelligence team is monitoring the operations under the moniker Vanilla Tempest (formerly known as DEV-0832).
“Vanilla Tempest is handed over GootLoader infections by a threat actor named Storm-0494, subsequently utilizing tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool,” as per statements released on X.
In a subsequent phase, the attackers advance with lateral movement through Remote Desktop Protocol (RDP) before leveraging the Windows Management Instrumentation (WMI) Provider Host to distribute the INC ransomware payload.
The producer of Windows stated that Vanilla Tempest has been operational since at least July 2022, with previous assaults focusing on education, healthcare, IT, and manufacturing domains utilizing various ransomware strains like BlackCat, Quantum Locker, Zeppelin, and Rhysida.
It should be noted that this threat actor is also identified as Vice Society and is recognized for utilizing existing lockers to execute attacks, rather than developing a custom variant.
This occurrence coincides with the observation of ransomware groups such as BianLian and Rhysida increasingly resorting to Azure Storage Explorer and AzCopy for data exfiltration from infiltrated networks in an effort to avoid detection.
“This application, typically employed for managing Azure storage and its contents, is being repurposed by threat actors for comprehensive data transfers to cloud storage,” as stated by researcher Britton Manahan from modePUSH mentioned.
About Author
