Microsoft Alerts on New INC Ransomware Threat
Microsoft, a leading technology company, has issued a warning about a new ransomware strain known as INC, which is being used by a financially motivated threat actor to attack the U.S. healthcare sector. This development signals an alarming rise in cybersecurity threats targeting critical industries.
Who is Behind the Attacks?
The threat intelligence team at Microsoft has identified the cybercriminals behind these attacks as Vanilla Tempest, previously known as DEV-0832. This group has been linked to a series of attacks, and they operate by receiving initial access through GootLoader infections. GootLoader is a malware loader used by another actor, Storm-0494, to compromise systems.
Tools and Techniques Used
After gaining initial access, Vanilla Tempest employs a range of tools to penetrate deeper into the network. Notably, they use the Supper backdoor, a malicious tool enabling remote access, alongside legitimate software such as AnyDesk RMM (Remote Monitoring and Management) and the MEGA data synchronization tool. This combination helps them move laterally across the network using Remote Desktop Protocol (RDP) and deploy the INC ransomware payload via Windows Management Instrumentation (WMI) Provider Host.
Previous Activities and Known Aliases
Vanilla Tempest has been active since July 2022, targeting sectors like education, healthcare, IT, and manufacturing. They have used a variety of ransomware families, including BlackCat, Quantum Locker, Zeppelin, and Rhysida. Interestingly, this group is also known as Vice Society, recognized for using existing lockers rather than developing custom malware.
Increasing Use of Cloud Tools for Data Theft
There is an increasing trend among ransomware groups like BianLian and Rhysida to utilize tools such as Azure Storage Explorer and AzCopy. These are typically used for managing data in Azure cloud storage but are being repurposed for exfiltrating sensitive data from attacked networks. This tactic helps them evade detection while transferring large amounts of data to the cloud.
Understanding Technical Terms
- Ransomware: A type of malicious software designed to block access to a computer system until a sum of money is paid.
- Lateral movement: A technique used by attackers to move through a compromised network to gain access to other systems or data.
- Exfiltration: The unauthorized transfer of data from a computer.
This surge in ransomware activity, especially targeting vital sectors like healthcare, highlights the urgent need for robust cybersecurity measures to protect sensitive data and prevent operational disruptions.
