Microsoft warns of new INC ransomware targeting US healthcare sector

September 19, 2024Ravie LakshmananHealthcare / Malware

Microsoft has announced that it has observed for the first time a financially motivated threat actor using a ransomware variant called INC to attack the US healthcare sector.

The tech giant’s threat intelligence team is monitoring the activity under the name Vanilla Storm (formerly DEV-0832).

“Vanilla Tempest receives transmissions of GootLoader infections by the threat actor Storm-0494, before deploying tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool,” the company said in a series of messages shared on X.

In the next step, the attackers perform lateral movement via Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.

According to the Windows maker, Vanilla Tempest has been active since at least July 2022. Previous attacks have targeted the education, healthcare, IT and manufacturing sectors, using various ransomware families such as BlackCat, Quantum Locker, Zeppelin and Rhysida.

It is worth noting that the threat actor is also tracked under the name Vice Society. This organization is known for using existing lockers to carry out their attacks, rather than building a modified version of their own.

This development comes as ransomware groups like BianLian and Rhysida increasingly use Azure Storage Explorer and AzCopy to steal sensitive data from compromised networks and evade detection.

“This tool, which is used to manage Azure storage and the objects within it, is being reused by attackers for large-scale data transfers to cloud storage,” said Britton Manahan, researcher at modePUSH.