Vice Society Using INC Ransomware in Attacks on Healthcare Orgs

Black Basta ransomware attacks in healthcare

The threat actor Vice Society, tracked by Microsoft as Vanilla Tempest, is targeting the healthcare sector and is using INC ransomware in its attacks.ย INC ransomware is a ransomware-as-a-service (RaaS) operation that provides the encryptor and infrastructure to affiliates, who are paid a cut of any ransom payments they generate. The INC ransomware group has conducted attacks on many sectors, including healthcare, one of the most recent of which was McLaren Health Care in Michigan. The group has been operating since July 2023.

Vice Society is a Russian-speaking hacking group that emerged in the summer of 2021. The group conducts ransomware attacks and uses double extortion tactics, exfiltrating sensitive data and demanding a ransom to prevent the leaking of stolen data and to obtain the decryptor to recover files. The group is known to attack the healthcare, education, and manufacturing sectors.

Microsoft Threat Intelligence explained in a series of posts on X (Twitter) that Vice Society has been observed using INC ransomware in its attacks for the first time. Access to victimsโ€™ networks is gained from Gootloader malware infections. A threat actor tracked as Storm-0494 is responsible for infecting systems with the Gootloader malware loader, then hands off victims to Vice Society.

Gootloader has previously been used to deliver a range of malware payloads for various threat actors, with previous payloads including REvil and BlueCrab ransomware, Kronos, IcedID, and Cobalt Strike. While Microsoft did not disclose how Gootloader is being delivered, delivery in the past is known to have included compromised websites that distribute malicious ZIP archives containing obfuscated JavaScript files, using techniques such as SEO poisoning to drive traffic to those sites.

Once Vice Society has access to a victim’s network, tools such as the Supper backdoor, AnyDesk remote access software, and the MEGA data synchronization tool are deployed. The group moves laterally within networks and uses Windows Management Instrumentation Provider Host to deploy the INC ransomware payload. Vice Society has used a variety of ransomware variants in past attacks, including Blackcat, Rhysida, and Quantum Locker, but has not previously been seen using INC ransomware. What is of particular concern is the apparent targeting of healthcare organizations.

Healthcare organizations should take steps to improve their defenses against malware and ransomware. Microsoft said Microsoft Defender for Endpoint was able to detect several stages of the identified activity.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/