Ransomware Mounts a Serious Threat to US Healthcare Providers

Ransomware Attacks in Healthcare

Ransomware attacks have surged within the US healthcare sector, with Microsoft cautioning that the Vanilla Tempest group is capitalizing on vulnerabilities through the INC ransomware service.

Tactics of the Threat Actor

The Vanilla Tempest group exploits initial access gained through a Gootloader infection to infiltrate healthcare systems. This allows lateral movement within networks, ultimately leading to the deployment of INC ransomware. Microsoft reported: “Vanilla Tempest receives hand-offs from Gootloader infections... before deploying tools like the Supper backdoor.”

Extent of Impact and Disguised Ransom Demands

Though Microsoft did not name specific healthcare organizations involved in these attacks, it remains uncertain whether ransoms have been requested. Notably, the threat actor may have opted for extortion efforts without deploying ransomware, using data exfiltration to pressure victims.

Defining Malicious Patterns

Vanilla Tempest, also referred to as DEV-0832, is recognized for its frequent attacks on the education and healthcare sectors. With a history dating back to June 2021, their arsenal has included a variety of ransomware families.

As Microsoft notes, this transition to INC ransomware signifies a potential shift in strategy, pursuing double and triple extortion tactics for faster profits. The parallels observed between this group and others such as Vice Society may suggest a deeper connection in malicious operations.