Vanilla Tempest Unleashes INC Ransomware on Hospitals

Vanilla Tempest Unleashes INC Ransomware on Hospitals

Threat Details and Score

Threat Group: Vanilla Tempest (also known as Vice Society)
Threat Type: Ransomware-as-a-Service (RaaS)
Exploited Vulnerabilities: Initial access via Gootloader malware, Remote Desktop Protocol (RDP) abuse, and Windows Management Instrumentation (WMI) for lateral movement
Malware Used: INC ransomware, Supper backdoor, AnyDesk, MEGA
Threat Score: High (8.7/10) — Due to its focus on healthcare infrastructure, advanced encryption techniques, and wide-reaching impact on operational systems
Last Threat Observation: September 2024 (Microsoft)


Overview:

The INC ransomware is actively targeting U.S. healthcare organizations, deployed by the Vanilla Tempest group. These attacks typically begin with a Gootloader malware infection, followed by lateral movement via RDP and the use of legitimate remote access tools. Once deployed, the ransomware encrypts essential data and systems, causing widespread operational disruptions.

Key Details:

  • Targeted Sector: Healthcare, specifically U.S. hospitals and medical networks.
  • Initial Access: Spear-phishing campaigns, Gootloader malware, and exploitation of Citrix NetScaler vulnerabilities.
  • Tools and Techniques: AnyDesk for remote access, MegaSync for data exfiltration, and WMI for lateral movement.
  • Impact: Operational disruptions, loss of access to patient data, ransom demands, and delays in medical services.

Attack Vectors:

After initial access through Gootloader, attackers use tools like AnyDesk and MegaSync to move through the network and execute the ransomware payload via WMI, encrypting critical systems and data.


Indicators of Compromise (IoCs):

File Indicators:

  • Ransomware binary hash:
    • SHA256: fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced
  • Ransom note filenames:
    • INC-README.TXT
    • INC-README.HTML
  • Encrypted file extension: .INC

System Indicators:

  • Tools used by attackers:
    • NETSCAN.EXE
    • MEGAsyncSetup64.EXE
    • ESENTUTL.EXE
    • AnyDesk.exe
  • Command-line arguments used:
    • --file
    • --dir
    • --sup
    • --ens
    • --lhd
    • --debug
  • Presence of ransom notes printed on connected devices
  • Attempted deletion of Volume Shadow Copies
  • Debug strings:
    C:\source\INC Encryptor\Release\INC Encryptor.pdb

Network Indicators:

  • Exfiltration using MegaSync:
    MEGAsyncSetup64.EXE detected on victim networks
  • Communication with INC Ransom’s Tor-based leak site and payment portal

Other Indicators:

  • Exploitation of Citrix NetScaler vulnerabilities (e.g., CVE-2023-3519) for initial access
  • Use of spear-phishing emails to gain entry into networks
  • Unusual network behavior:
    • Unusual outbound traffic
    • Geographic irregularities in network communication
    • Sudden spikes in database read volumes
    • Large numbers of requests for the same file
    • Suspicious changes in system or registry files
  • Anomalous DNS requests often associated with C2 communications

Mitigation and Prevention:

  1. Patch management: Ensure all systems, especially healthcare-specific applications, are up to date with security patches.
  2. Disable RDP where not necessary and enforce multi-factor authentication (MFA) for all remote connections.
  3. Monitor for IoCs: Track the use of AnyDesk, MEGA, and other remote tools on your network.
  4. Network segmentation: Isolate critical infrastructure to reduce lateral movement.
  5. Backup Strategy: Maintain regular, offline backups of critical data and test restoration procedures frequently.

Conclusion:

The INC ransomware presents a significant threat to healthcare organizations due to its ability to quickly disrupt operations and compromise sensitive medical data. With the involvement of a sophisticated group like Vanilla Tempest, the risk is elevated, particularly with their exploitation of existing malware infections and remote access tools. Immediate action, such as improved patch management, enhanced remote access security, and comprehensive backup strategies, is essential to mitigate these risks.


Podcast Discussion

 

audio-thumbnail
Vanilla Tempest Unleashes INC Ransomware on Hospitals
0:00
/354.4

Sources:

  1. TechRadar - Microsoft warns US healthcare of threat actor using new ransomware
  2. SC Magazine - US healthcare sector subjected to attacks with INC ransomware
  3. OODALoop - Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector
  4. BleepingComputer - Vanilla Tempest hackers hit healthcare with INC ransomware