Microsoft has raised alarms over a new wave of cyberattacks targeting the US healthcare sector, led by the financially motivated group Vanilla Tempest. According to Microsoft’s recent post on X (formerly Twitter) regarding the issue, the group has deployed the INC ransomware strain in these attacks.

Vanilla Tempest, also tracked as Vice Society or DEV-0832, has been active since at least 2021. Microsoft’s threat intelligence team notes that Vanilla Tempest typically gains access to healthcare networks using the Gootloader malware downloader.

After infiltrating a system, the group installs a backdoor with Supper malware and deploys legitimate tools like AnyDesk and MEGA data synchronization. They then deploy the INC ransomware payload via the Remote Desktop Protocol (RDP) and Windows Management Instrumentation (WMI) host to lock down systems.

This isn’t the first time Vanilla Tempest has targeted critical industries. According to a report from BleepingComputer, the group has also hit organizations such as Yamaha Motor Philippines, Xerox Business Solutions US, and Scotland’s National Health Service (NHS). The healthcare sector remains one of its primary targets, likely due to the high value of sensitive medical data and the sector’s heavy reliance on legacy technology.

The INC ransomware group, active since mid-2023, is a Ransomware-as-a-Service operation that offers affiliates pre-built ransomware tools in exchange for a cut of the ransom. Vanilla Tempest has previously used other ransomware strains like BlackCat, Quantum Locker, and Rhysida. The healthcare industry’s vulnerability to these attacks is further highlighted by incidents like UnitedHealth’s recent $22 million ransomware payment to a cybercrime group.

In May 2024, an affiliate of the INC ransomware group reportedly attempted to sell the source code for $300,000 on hacking forums, which could further escalate the ransomware’s spread.

While the identity of the healthcare organizations affected by these latest attacks remains undisclosed, the impact is already evident. In August 2024, Michigan’s McLaren Health Care was forced to reschedule appointments and non-emergency procedures after an INC ransomware attack crippled its systems.

The recent wave of attacks shows that ransomware affiliates are becoming increasingly sophisticated and methodical. Groups like Vanilla Tempest are professional and calculated in their approach, particularly when negotiating ransoms with large organizations.