The ransomware collective known as Vanilla Tempest, or Vice Society, has made its debut in the American healthcare sector by utilizing the INC ransomware variant. This alarming development was uncovered by cybersecurity experts from Microsoft, who shared their insights on a recent thread on X.
According to Microsoft’s findings, Vanilla Tempest initially gains access through Gootloader infections orchestrated by Storm-0494. Once established, they then introduce various types of malware and tools such as Supper, AnyDesk, and MEGA into their attacks.
Understanding Vice Society
This group employs Remote Desktop Protocol (RDP) to move laterally within networks and utilizes Windows Management Instrumentation Provider Host for deploying the INC ransomware. However, specifics regarding which organizations were targeted or how effective these attacks were remain undisclosed.
It’s worth noting that ransomware assaults on healthcare entities often lead to severe leaks of confidential medical information and substantial ransoms being demanded. Since its emergence in mid-2022, Vanilla Tempest has primarily focused on sectors such as education, healthcare, IT services, and manufacturing while showing a tendency to continuously shift between different encryption methods. Unlike most affiliate groups that typically specialize in one or two encryptors at a time; this group has employed an array of technologies including BlackCat, Quantum Locker, Zeppelin, Rhysida among others.
In October 2022, Microsoft issued alerts regarding the group’s tactics which involved not only switching up payloads but also revealing an inclination to bypass encryption altogether—opting instead just to exfiltrate data directly during certain operations targeting educational institutions across the United States.
Notable victims attributed to their campaigns include global furniture giant IKEA and Los Angeles Unified School District (LAUSD). In late November 2022 alone—Kuwait’s IKEA stores faced operational disruptions following a breach affecting critical systems. Just months prior however LAUSD attempted negotiations with this group hoping to mitigate exposure of stolen personally identifiable information; yet discussions fell apart leading ultimately to public disclosures stating: “As expected…data was recently released by a criminal organization.” The district is currently working with law enforcement agencies while conducting thorough analysis regarding this pervasive leak.
To date,the identities behind these cybercriminal activities remain shrouded in mystery.
According To The Hacker News
Additional Insights from TechRadar Pro
- IKEA reveals substantial damages from cyber intrusion
- An updated roundup of today’s top firewall solutions
- The current best endpoint protection tools available now!
