​Microsoft says a ransomware affiliate it tracks as Vanilla Tempest now targets U.S. healthcare organizations in INC ransomware attacks.

INC Ransom is a ransomware-as-a-service (RaaS) operation whose affiliates have targeted public and private organizations since July 2023, including Yamaha Motor Philippines, the U.S. division of Xerox Business Solutions(XBS), and, more recently, Scotland’s National Health Service (NHS).

In May 2024, a threat actor called “salfetka” claimed to sell the source code of INC Ransom’s Windows and Linux/ESXi encrypter versions for $300,000 on the Exploit and XSS hacking forums.

Microsoft revealed on Wednesday that its threat analysts have observed the financially motivated Vanilla Tempest threat actor using INC ransomware for the first time in an attack on the U.S. healthcare sector.

During the attack, Vanilla Tempest gained network access through the Storm-0494 threat actor, who infected the victim’s systems with the Gootloader malware downloader.

Once inside, the attackers backdoored the systems with Supper malware and deployed the legitimate AnyDesk remote monitoring and MEGA data synchronization tools.

The attackers then moved laterally using Remote Desktop Protocol (RDP) and the Windows Management Instrumentation Provider Host to deploy INC ransomware across the victim’s network.

While Microsoft didn’t name the victim hit by the Vanilla Tempest-orchestrated INC ransomware healthcare attack, the same ransomware strain was linked to a cyberattack against Michigan’s McLaren Health Care hospitals last month.

The attack disrupted IT and phone systems, caused the health system to lose access to patient information databases, and forced it to reschedule some appointments and non-emergent or elective procedures “out of an abundance of caution.”

Who is Vanilla Tempest?

Active since at least early June 2021, Vanilla Tempest (previously tracked as DEV-0832 and Vice Society) has frequently targeted sectors, including education, healthcare, IT, and manufacturing, using various ransomware strains such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.

While active as Vice Society, the threat actor was known for using multiple ransomware strains during attacks, including Hello Kitty/Five Hands and Zeppelin ransomware.

CheckPoint linked Vice Society with the Rhysida ransomware gang in August 2023, another operation known for targeting healthcare, which tried to sell patient data stolen from Lurie Children’s Hospital in Chicago.