Microsoft has revealed that financially motivated threat actors have been observed targeting the US healthcare sector for the first time using ransomware dubbed INC.
The tech giant’s threat intelligence team is tracking the campaign under the name Vanilla Tempest, formerly known as DEV-0832.
“Vanilla Tempest takes handoff from a GootLoader infection by threat actor Storm-0494, and subsequently deploys tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data sync tool,” said a series of posts shared on X.
In the next step, the attackers perform lateral movement over Remote Desktop Protocol (RDP) and deploy the INC ransomware payload using the Windows Management Instrumentation (WMI) Provider Host.
According to the Windows maker, Vanilla Tempest has been active since at least July 2022, with previous attacks targeting the education, healthcare, IT and manufacturing sectors using various ransomware families, including BlackCat, Quantum Locker, Zeppelin and Rhysida.
Notably, the threat actor is also being tracked under the name Vice Society, which is known for leveraging existing lockers to carry out attacks rather than building their own custom versions.
The move comes as ransomware groups such as BianLian and Rhysida have been observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in a bid to evade detection.
“This tool, used to manage Azure storage and the objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage,” modePUSH researcher Britton Manahan said.
