The financially motivated threat actor tracked as Vanilla Tempest is using INC ransomware to target the healthcare sector.
In a series of posts on X, formerly Twitter, Microsoft Threat Intelligence posted Sept. 18 that it observed Vanilla Tempest receiving hand-offs from Gootloader infections by the threat actor Storm-0494 before deploying tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management tool, and the MEGA data synchronization tool.
Vanilla Tempest then performed lateral movement through the remote desktop protocol (RDP) and used the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload, a first for the threat actor.
Vanilla Tempest has been active since July 2022 and commonly targets the education, healthcare, IT, and manufacturing sectors in attacks involving various ransomware payloads such as ALPH/BlackCat, Quantum Locker, Zeppelin, and Rhysida, the Microsoft post said.
Morgan Wright, chief security advisor at SentinelOne, pointed out that INC is a ransomware-as-a-service (RaaS) operation, “so the probability of more attacks is a given.”
Wright, an SC Media columnist, added that access brokers provided the means of initial compromise: in this case, it was a threat actor identified as Storm-0494.
“The malware — GootLoader — appears to take advantage of SEO poisoning for first-stage access and payload delivery,” said Wright. “Threat intelligence and up-to-date patching are essential in defeating this kind of threat, along with current user awareness training highlighting these threats.”
Patrick Tiquet, vice president of security and architecture at Keeper Security, added that while the tactics used are not groundbreaking — like lateral movement through RDP and the deployment of legitimate tools like AnyDesk — what stands out is the persistent focus on healthcare.
“Threat actors like ALPHV/BlackCat have long exploited the sector's aging infrastructure and critical dependence on sensitive data, and Vanilla Tempest is following suit with similar, albeit diverse, ransomware strains,” said Tiquet. "In the larger threat environment, Vanilla Tempest’s focus on healthcare fits into a broader pattern of attackers leveraging increasingly sophisticated ransomware strains to exploit the sector’s vulnerabilities. Threat actors like ALPHV/BlackCat have shown that the industry’s aging infrastructure and heavy reliance on sensitive data make it an attractive target.”
David Finn, executive vice president of governance, risk, and compliance at First Health Advisory, added that it’s easy to say this news about INC is just another ransomware group going after a sector poorly prepared for the attacks. However, Finn said this news complicates the overall security environment for providers: Another group means another attacker and that means the frequency of attacks will likely increase, putting more strain on defenses.
“Vanilla Tempest and ALPHV/BlackCat typically focus on exfiltration of data before releasing the ransomware, increasing the risk of data being released or, more likely, sold,” explained Finn. “More attackers also means additional tactics that might require different response efforts and even more complex incident response scenarios. It could also potentially lead to higher ransom demands as the ‘bad guys’ must compete to maximize profits. This expanding threat landscape requires greater collaboration between providers, security experts, law enforcement, government agencies responsible for cybersecurity, and ISACs to share threat intelligence and best practices.”
Itzik Alvas, co-founder and CEO of Entro Security, said Vanilla Tempest expands its scope by exploiting improperly secured non-human identities (NHIs) such as service accounts used for RDP and WMI.
“Given its vertical target and use of lateral movement, attackers will soon expand the scope of NHIs they can compromise by targeting additional vulnerable healthcare services and critical assets,” said Alvas. “Defending against this imminent threat will require healthcare organizations to proactively gain visibility into NHI usage throughout their environment, permission scoping, and establish a procedural emphasis on securing the entire lifecycle of these identities in their environment.”
