Microsoft has issued a warning about a cybercrime group known as Vanilla Tempest, which is using the INC ransomware to target US healthcare organizations. This group primarily exploits systems already infected with Gootloader malware, using it to gain access and deploy ransomware. Vanilla Tempest utilizes tools like the Supper backdoor and remote management software such as AnyDesk to infiltrate networks and move laterally via Remote Desktop Protocol (RDP).
Active for at least two years, Vanilla Tempest has also targeted education, IT, and manufacturing sectors. Their activities show overlap with another group, Vice Society, which has been active since mid-2021 and is linked to multiple ransomware families, including BlackCat and Rhysida. The INC ransomware, part of a ransomware-as-a-service (RaaS) model, has been deployed by Vanilla Tempest for about a year, indicating they may operate as affiliates within a larger network of cybercriminals. For more information, please visit Microsoft: US Healthcare Sector Targeted by INC Ransomware Affiliate.