Microsoft reports that the hacker group Vanilla Tampest has launched attacks on the Inc Ransom organization.
Inc Ransom, operating as part of the Ransomware-AS-A-Service (RAAS) model, has been targeted by Vanilla Tampest partners who have been carrying out attacks on both state and private companies since July 2023. Notable victims include Yamaha Motor Philippines, the American division of Xerox Business Solutions, and the National Health Service of Scotland (NHS).
In May 2024, an attacker known as “Salfetka” offered the source code of the Mrownoman program for Windows and Linux/ESXI operating systems for $300,000 on hacker forums Exploit and XSS.
Microsoft analysts have observed Vanilla Tempest using Inc Ransom to target the US health sector. The hackers gained access through the Storm-0494 group, deploying a malicious Gootloader on victim systems. They then introduced the Supper Backdor, utilized remote monitoring tools like Anydesk and MEGA synchronization, and distributed the Maintenance program using Remote Desktop Protocol (RDP) and Windows Management Instrumentation Provider Host control tools.
While Microsoft has not disclosed the specific organization affected, a similar version of the Ransom Program was used in cyber attacks on McLaren Health Care Hospital in Michigan in August. The attacks led to disruptions in IT systems, telephone lines, and loss of access to patient databases, prompting the hospital to reschedule planned procedures.
Vanilla Tempest, previously known as DEV-0832 and Vice Society, has been active since June 2021. The group targets sectors like education, healthcare, IT, and industry, employing ransomware programs such as BlackCat, Quantum Locker, Zeppelin, and Rhysida. Researchers from Checkpoint have linked Vice Society with the Rhysida gang, known for targeting medical institutions.