Pirrico
Registered User
- Posts
- 70
- Posts Power
- 70.0%
- Liked
- 16
- Joined
- Sep 17, 2024
Microsoft's threat intelligence team has uncovered a new ransomware strain called INC, which is being deployed by a financially motivated threat actor known as Vanilla Tempest (previously DEV-0832) to target the U.S. healthcare sector. This group, also tracked as Vice Society, has been active since at least July 2022 and has a history of targeting various sectors including education, IT, and manufacturing using multiple ransomware families.
The attack chain begins with GootLoader infections, handed off by another threat actor called Storm-0494. Vanilla Tempest then deploys a suite of tools including the Supper backdoor, AnyDesk remote monitoring tool, and MEGA data synchronization tool. The attackers use Remote Desktop Protocol (RDP) for lateral movement and the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.
What sets Vanilla Tempest apart is their strategy of using existing ransomware strains rather than developing their own. In addition to INC, they have previously utilized ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida. This adaptability makes them a particularly dangerous threat to various sectors.
In a related development, other ransomware groups like BianLian and Rhysida have been observed using Azure Storage Explorer and AzCopy for data exfiltration, repurposing these legitimate cloud management tools for large-scale data transfers to evade detection. This trend highlights the evolving tactics of ransomware operators and the need for organizations, especially in the healthcare sector, to remain vigilant and update their security measures accordingly.
The attack chain begins with GootLoader infections, handed off by another threat actor called Storm-0494. Vanilla Tempest then deploys a suite of tools including the Supper backdoor, AnyDesk remote monitoring tool, and MEGA data synchronization tool. The attackers use Remote Desktop Protocol (RDP) for lateral movement and the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.
What sets Vanilla Tempest apart is their strategy of using existing ransomware strains rather than developing their own. In addition to INC, they have previously utilized ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida. This adaptability makes them a particularly dangerous threat to various sectors.
In a related development, other ransomware groups like BianLian and Rhysida have been observed using Azure Storage Explorer and AzCopy for data exfiltration, repurposing these legitimate cloud management tools for large-scale data transfers to evade detection. This trend highlights the evolving tactics of ransomware operators and the need for organizations, especially in the healthcare sector, to remain vigilant and update their security measures accordingly.