Microsoft has revealed that a financially motivated threat actor has used a ransomware called INC for the first time to target the US healthcare sector
The tech giant’s threat intelligence team tracks activity under the name Vanilla storm (formerly DEV-0832).
“Vanilla Tempest receives a transmission from GootLoader of the Storm-0494 threat before deploying tools such as the Supper backdoor, AnyDesk’s legitimate remote monitoring and management (RMM) tool, and the MEGA data synchronization tool, said in a series of messages shared by X.
In the next step, attackers perform lateral movement via Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) provider host to deploy the INC ransomware payload.
The Windows maker said Vanilla Tempest has been active since at least July 2022, and previous attacks have targeted the education, healthcare, IT and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin and Rhysida.
It should be noted that the threat actor is also tracked by name Vice-societywho is known for work already existing lockers make their own attacks rather than creating their own version.
This comes as ransomware groups such as BianLian and Rhysida increasingly use Azure Storage Explorer and AzCopy to extract sensitive data from compromised networks in an attempt to avoid detection.
“This tool, used to manage Azure storage and the objects within it, is being repurposed by threat actors for large-scale data transfer to cloud storage,” said modePUSH researcher Britton Monahan. said.
