Microsoft warns US healthcare sector of new ransomware threat
What's the story
Microsoft has issued a warning about a new ransomware threat targeting the US healthcare sector. The cybersecurity team at Microsoft identified Vanilla Tempest, also known as Vice Society, as the group behind this attack. This is the first time that this group has been observed using the INC ransomware strain in their operations.
Attack strategy
Modus operandi and targets
Vanilla Tempest initiates its attacks through Gootloader infections, facilitated by Storm-0494. The group then deploys various malware and software including Supper, AnyDesk, and MEGA among others. It uses the Remote Desktop Protocol (RDP) for lateral movement within a network, and the Windows Management Instrumentation Provider Host to deploy the INC ransomware. However, Microsoft has not disclosed which organizations have been targeted or the success rate of these attacks.
Past activities
History and previous attacts
Vanilla Tempest has been active since mid-2022 and is known for its frequent switch between different encryptors. The group typically targets education, healthcare, IT, and manufacturing sectors. In October 2022, Microsoft warned about this group's tactic of swapping ransomware payloads while targeting US schools. In some instances, the group bypasses encryption entirely and simply steals data.
Major breaches
High-profile victims of Vanilla Tempest
Vanilla Tempest's high-profile victims include Swedish furniture giant IKEA and the Los Angeles Unified School District (LAUSD). In late November 2022, IKEA stores in Morocco and Kuwait were forced to partially shut down their infrastructure due to an attack. Earlier that year, LAUSD attempted to negotiate with the group over stolen sensitive data but failed. The identity of the hackers remains unknown.