Vice Society Pivots to Inc Ransomware in Healthcare Attack

  /     /     /  
Publicated : 23/11/2024   Category : security


Vice Society Pivots to Inc Ransomware in Healthcare Attack


Inc ransomware — one of the most popular among cybercriminals today — meets healthcare, the industry sector most targeted by RaaS.



Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.
Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.
In
a series of posts on X
, Microsoft Threat Intelligence Center (MSTIC) flagged the groups latest weapon: Inc ransomware.
Vanilla Tempest is one of the most active ransomware operators MSTIC tracks, says Jeremy Dallman, senior director of threat intelligence for MSTIC. While weve seen them targeting healthcare for quite a while, the notable shift here is their use of an Inc ransomware payload as they leverage the larger ransomware-as-a-service ecosystem.
Vice Society
flirts with various industries
, including IT and manufacturing, but its best known for its campaigns against the
education and healthcare sectors
.
In that sense, its in line with the broader threat landscape. According to Check Point Research, healthcare is the industry most frequently targeted by ransomware actors. Other kinds of cybercriminals like it too, evidently, with global healthcare organizations experiencing an average of 2,018 attacks per week, a 32% rise over last year.
It only makes sense, warns Cindi Carter, Check Points CISO for the Americas. Besides being hamstrung by outdated legacy technology and bureaucracy, The type of data that healthcare organizations capture, create, and share is of high value to cybercriminals, she says. Your medical record is the single most identifiable piece of digital information about you besides your own fingerprint, she says.
In recent activity leveraging the healthcare sectors inherent weaknesses, Vice Society received initial access to
victims that previously had been infected
with the Gootloader backdoor-loader. Then it deployed tools including the Supper backdoor, AnyDesks remote monitoring and management (RMM) solution, and MEGAs data synchronization tool, the latter two of which are legitimate commercial products. The group used Remote Desktop Protocol (RDP) to perform lateral movement in affected networks, and abused the Windows Management Instrumentation (WMI) provider host to drop Inc ransomware.
Active since last summer, the Inc ransomware-as-a-service (RaaS) operation has earned plenty of headlines for its compromises of particularly large organizations — Xerox and Scotlands National Health Service (NHS), among others. And its modus operandi fits the scope of its ambition, says Jason Baker, threat intelligence consultant for GuidePoint Security.
The aspect of Inc affiliates in particular that makes them stand out is that they have a very structured way of working through the negotiations process. Theres no winging it. There are no off-the-cuff remarks. Agitation and threats are kept relatively minimal, he recalls from dealing with them firsthand.
Its like the difference between somebody robbing a bank and somebody sticking somebody up in an alley. You can tell when somebodys put thought into [an attack] and knows what theyre doing, he says.
As Dark Reading reported last month,
Incs malware leaked information
about the nature and success of its data encryption. Though this could potentially lend defenders a leg up in remediation and potential negotiations with its affiliates, Baker warns that the reality is more complicated, especially when it comes to healthcare.
If an organization knows that they can recover, and that they dont need a decryptor, that substantially decreases the feeling that they need to pay a ransom, he notes. But where its complicated is in modern double extortion, particularly if theres sensitive personally identifiable health information (PHI), or if theres sensitive intellectual property involved. Theres a reason why the double extortion methodology has stuck around for as long as it has: It does, to some extent, overcome even an ability to recover.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Vice Society Pivots to Inc Ransomware in Healthcare Attack