Vanilla Tempest is a ransomware group that has recently targeted U.S. healthcare organizations using a new ransomware strain.
This group has been active since at least June 2021 and has been linked to various cyberattacks across multiple sectors like education and IT.
Cybersecurity researchers at Microsoft Threat Intelligence team recently warned of the Vanilla Tempest hackers group that has been found to be actively attacking the healthcare sector.
Meet the CISOs, Join the Virtual Panel to Learn compliance – Join for free
Vanilla Tempest Hackers
Microsoft has identified that Vanilla Tempest is a financially motivated cybercriminal group and has been found to be using a new ransomware strain dubbed “INC” to target healthcare organizations in the US.
This is the first instance that has been observed where Vanilla Tempest was found employing “INC ransomware.”
While the complete attack chain initiates with another threat actor dubbed “Storm-0494,” using “Gootloader” malware to gain initial access to the systems of the victims.
Gootloader is a sophisticated malware loader that commonly spreads via compromised websites. Once Storm-0494 establishes this foothold they hand off the control to Vanilla Tempest.
The Vanilla Tempest group then deploys a range of tools to further their attack, and here below, we have mentioned those tools:-
- The Supper backdoor (a malicious program that allows unauthorized remote access)
- AnyDesk (a legitimate remote desktop application repurposed for malicious use)
- MEGA (a cloud storage service used here to exfiltrate stolen data)
This multi-stage attack chain demonstrates the complex and collaborative nature of modern cybercrime operations targeting critical sectors.
The attack strategy of the threat actors involves lateral movement via “RDP.”
After that to deploy “INC” ransomware payload they leverage a core Windows service, “Windows Management service Provider Host.” This ransomware encrypts victims’ files, demand payment for decryption.
Vanilla Tempest’s arsenal isn’t limited to INC, as they have been associated with other notorious ransomware variants like:-
- BlackCat
- Quantum Locker
- Zeppelin
- Rhysida
While each of these payloads has its own encryption methods and ransom demands.
However, Microsoft Defender for Endpoint is capable of detecting various stages of Vanilla Tempest’s activities.
This includes identifying the initial network intrusion, the lateral movement attempts, and the deployment of the ransomware itself, providing a multi-layered defense against this persistent threat actor.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial