A financially motivated threat actor tracked as Vanilla Tempest is targeting the healthcare sector with INC ransomware.
In a series of posts on X (formerly Twitter), Microsoft Threat Intelligence posted on September 18 that it had observed Vanilla Tempest deploying tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management tool, and the MEGA data synchronization tool after receiving handoff from a Gootloader infection by threat actor Storm-0494.
Vanilla Tempest then performed lateral movement over Remote Desktop Protocol (RDP) and deployed an INC ransomware payload using a Windows Management Instrumentation (WMI) Provider Host, a first for the threat actor.
According to Microsoft’s post, Vanilla Tempest has been active since July 2022 and has primarily targeted the education, healthcare, IT and manufacturing sectors in attacks involving a variety of ransomware payloads, including ALPH/BlackCat, Quantum Locker, Zeppelin and Rhysida.
Morgan Wright, chief security advisor at SentinelOne, noted that because INC is a ransomware-as-a-service (RaaS) business, “it’s not surprising that further attacks are possible.”
Wright, the SC Media columnist, added that an access broker provided the initial means of entry — in this case, it was a threat actor identified as Storm-0494.
“The GootLoader malware appears to be leveraging SEO poisoning for first stage access and payload delivery,” Wright said. “Threat intelligence and up-to-date patching, as well as up-to-date user awareness training highlighting these threats, are essential to thwarting these types of threats.”
Patrick Tiquet, vice president of security and architecture at Keeper Security, added that while the tactics used – lateral movement via RDP and the adoption of legitimate tools such as AnyDesk – are not groundbreaking, their consistent focus on the healthcare sector stands out.
“Threat actors like ALPHV/BlackCat have been exploiting this industry’s aging infrastructure and heavy reliance on sensitive data for years, and Vanilla Tempest has followed suit with a similar, but diversified, ransomware strain,” said Tiquet. “Within the larger threat landscape, Vanilla Tempest’s focus on the healthcare sector fits into a broader pattern of attackers leveraging increasingly sophisticated ransomware strains to exploit vulnerabilities in this industry. Threat actors like ALPHV/BlackCat demonstrate that the industry’s aging infrastructure and heavy reliance on sensitive data make it an attractive target.”
David Finn, executive vice president of governance, risk and compliance at First Health Advisory, added that it would be easy to say the news about INC is just another ransomware group targeting a sector that is less prepared for attacks. But Finn said the news complicates providers’ overall security landscape. With another group, there are other actors, which could lead to increased frequency of attacks and put an additional strain on defenses.
“Vanilla Tempest and ALPHV/BlackCat typically focus on exfiltrating data before releasing the ransomware, increasing the risk of data being exfiltrated or sold,” Finn explains. “More attackers mean more tactics and potentially different response strategies, making incident response scenarios more complex. Ransom demands may also increase as bad actors must compete with each other to maximize profits. This expanding threat landscape requires greater collaboration between providers, security professionals, law enforcement, government agencies responsible for cybersecurity, and ISACs to share threat intelligence and best practices.”
Itzik Alvas, co-founder and CEO of Entro Security, said Vanilla Tempest extends its reach by exploiting non-human identities (NHI) that aren’t properly secured, such as service accounts used for RDP and WMI.
“Leveraging vertical targeting and lateral movement, attackers will soon expand the scope of NHI they can compromise by targeting additional vulnerable health services and critical assets,” Alvas said. “To protect against this imminent threat, healthcare organizations must increase visibility into NHI usage across their environments, scope permissions, and establish procedures focused on protecting the entire lifecycle of these identities within their environments.”
