Microsoft reports that a ransomware group, Vanilla Tempest, is now targeting U.S. healthcare organizations using INC ransomware in a recent wave of cyberattacks.
Vanilla Tempest, a ransomware affiliate tracked by Microsoft, has been involved in recent INC ransomware attacks on U.S. healthcare organizations. INC Ransom, a ransomware-as-a-service (RaaS) operation, has been active since July 2023 and has hit multiple organizations, including Yamaha Motor Philippines, the U.S. division of Xerox Business Solutions (XBS), and Scotland's National Health Service (NHS).
According to Microsoft, Vanilla Tempest recently used the INC ransomware in an attack against the US healthcare sector for the first time, making it the first sighting of this ransomware strain being used in an attack by the group.
While Microsoft did not name the healthcare organization targeted, the attack followed a similar incident at Michigan's McLaren Health Care hospitals, where IT systems and phone lines were disrupted, and patient data became inaccessible.
Vanilla Tempest, active since at least June 2021, has undergone several name changes, including DEV-0832 and Vice Society. The group usually targets industries like education, healthcare, IT, and manufacturing with multiple variants of ransomware strains, including BlackCat, Quantum Locker, Zeppelin, and Rhysida.
During its time as Vice Society, the group became known for using several ransomware types in its attacks, like Hello Kitty/Five Hands and Zeppelin. In August 2023, CheckPoint tied Vice Society to the Rhysida ransomware gang, which also targets the healthcare industry and attempted to sell patient data stolen from Lurie Children's Hospital in Chicago.
Learn more: Blackcat ransomware turns off servers following claims of $22M ransom
Microsoft’s Threat Intelligence reports, “Microsoft observed the financially motivated threat actor tracked as Vanilla Tempest using INC ransomware for the first time to target the healthcare sector in the United States,” confirming the threat actor's recent escalation.
With Vanilla Tempest now using INC ransomware, U.S. healthcare providers are even more vulnerable to cyberattacks. The disruptions will directly impact patient care, delay medical treatments, and compromise protected health information (PHI).
As cybercriminals, like Vanilla Tempest become more sophisticated, healthcare organizations must upgrade their cybersecurity defenses to protect the privacy and security of patient data.
Learn more: HIPAA Compliant Email: The Definitive Guide
Vanilla Tempest is a cybercriminal group that has been active since 2021. They target various industries, including healthcare, education, and manufacturing, using different types of ransomware disable systems, and demand payment.
INC ransomware is a type of malware that cybercriminals use to encrypt a victim's files and systems, holding them for ransom until the organization pays. It has been in use since mid-2023, targeting many organizations.
Healthcare organizations must use HIPAA compliant platforms, like Paubox, which offer multi-factor authentication, access controls, and a secure cloud service to safeguard protected health information (PHI).
Additionally, regular HIPAA training can help staff avoid clicking on suspicious links or downloading files from untrusted sources, protecting the organization from ransomware attacks.