Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.
The tech giant’s threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).
“Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool,” it said in a series of posts shared on X.
In the next step, the attackers proceed to carry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.
The Windows maker said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.
It’s worth noting that the threat actor is also tracked under the name Vice Society, which is known for employing already existing lockers to carry out their attacks, as opposed to building a custom version of their own.
The development comes as ransomware groups like BianLian and Rhysida have been observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in an attempt to evade detection.
“This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage,” modePUSH researcher Britton Manahan said.