Vice Society hits healthcare with INC ransomware attacks

Microsoft observed a threat actor, Vice Society, using INC ransomware, a ransomware-as-a-service operation, to target U.S. healthcare organizations. Microsoft Threat Intelligence detailed its findings about Vice Society, which it tracks as Vanilla Tempest, in a series of posts on X, formerly Twitter, on Sept. 18, noting that this was the first time it had seen Vanilla Tempest use INC ransomware to target healthcare.

INC ransomware emerged in July 2023 as a ransomware extortion operation, cybersecurity company SentinelOne stated. INC ransomware operators have targeted a variety of entities with multi-extortion ransomware.

Microsoft said that Vanilla Tempest receives hand-offs from Gootloader infections by threat actor Storm-0494, and then deploys tools such as the Supper backdoor, the MEGA data synchronization tool and the legitimate AnyDesk remote monitoring tool.

Vanilla Tempest has been active since as early as June 2021 and is known to target the education sector. The cyberthreat actor has since branched out to target the healthcare, manufacturing and IT sectors using payloads such as BlackCat, Rhysida and Quantum Locker.

"The rise of Vanilla Tempest, particularly with its latest INC ransomware attacks, marks a continuation of the healthcare sector's growing vulnerability to ransomware-as-a-service operations," said Patrick Tiquet, vice president of security and architecture at Keeper Security.

"While the tactics used -- like lateral movement through RDP and the deployment of legitimate tools like AnyDesk -- are not groundbreaking, what stands out is the persistent focus on healthcare. Threat actors like ALPHV/BlackCat have long exploited the sector's aging infrastructure and critical dependence on sensitive data, and Vanilla Tempest is following suit with similar, albeit diverse, ransomware strains."

Tiquet recommended prioritizing stronger network segmentation, HIPAA compliance and real-time monitoring to mitigate the risk of cyberattacks perpetrated by cyberthreat actors that prey on healthcare's legacy systems and reliance on sensitive data.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.