Vanilla Tempest, a ransomware group also known as Vice Society, has been first spotted deploying the INC ransomware variant targeting the US healthcare sector.
That is the conclusion reached by cybersecurity researchers at Microsoft, who recently published their latest findings in an X-thread.
In the thread, the company reports that Vanilla Tempest first distances itself from Gootloader infections by Storm-0494, before installing various malware and software, including Supper, AnyDesk, MEGA, and others.
Vice society
The group uses Remote Desktop Protocol (RDP) for lateral movement and Windows Management Instrumentation Provider Host to deploy the INC ransomware.
Unfortunately, Microsoft did not say which organizations Vanilla Tempest targeted, or how successful it was. Ransomware attacks on healthcare institutions typically result in the leakage of highly sensitive medical data, as well as potentially staggering payouts.
Vanilla Tempest, or Vice Society, is a threat actor that has been active since mid-2022. It typically targets the education, healthcare, IT, and manufacturing sectors and is known to frequently switch between different encryptors. While affiliates typically stick to one or two encryptors, Vanilla Tempest has been observed using BlackCat, Quantum Locker, Zeppelin, Rhysida, and others.
In October 2022, Microsoft warned about Vanilla Tempest, saying it was known to exchange ransomware payloads when it attacked schools in the US. In some cases, Microsoft added, the group skips the encryption part altogether and simply steals the data.
Victims include Swedish furniture giant IKEA and the Los Angeles Unified School District (LAUSD). IKEA fell victim in late November 2022, when its stores in Morocco and Kuwait were forced to shut down parts of their infrastructure. A few months earlier, LAUSD attempted to negotiate with the group to keep the stolen sensitive data private, but the negotiations failed.
“Unfortunately, as expected, data was recently released by a criminal organization,” LAUSD said shortly afterward. “Working with law enforcement, our experts are analyzing the full extent of this data release.”
The identity of the hackers remains unknown to this day.
Via The Hacker News