Vice Society Pivots to Inc Ransomware in Healthcare Attack

Inc ransomware is on the rise, with one well-known threat actor recently using it to target American healthcare organizations.

Vice Society, which Microsoft tracks as Vanilla Tempest, has been active since July 2022. In that time, the Russian-speaking group has made use of various families of ransomware to aid its double extortion attacks, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin — including its own variant — and its own, eponymous program.

In a series of posts on X, Microsoft Threat Intelligence Center (MSTIC) flagged the group's latest weapon: Inc ransomware.

"Vanilla Tempest is one of the most active ransomware operators MSTIC tracks," says Jeremy Dallman, senior director of threat intelligence for MSTIC. "While we've seen them targeting healthcare for quite a while, the notable shift here is their use of an Inc ransomware payload as they leverage the larger ransomware-as-a-service ecosystem."

Vice Society's Latest Foray into Healthcare

Vice Society flirts with various industries, including IT and manufacturing, but it's best known for its campaigns against the education and healthcare sectors.

In that sense, it's in line with the broader threat landscape. According to Check Point Research, healthcare is the industry most frequently targeted by ransomware actors. Other kinds of cybercriminals like it too, evidently, with global healthcare organizations experiencing an average of 2,018 attacks per week, a 32% rise over last year.

It only makes sense, warns Cindi Carter, Check Point's CISO for the Americas. Besides being hamstrung by outdated legacy technology and bureaucracy, "The type of data that healthcare organizations capture, create, and share is of high value to cybercriminals," she says. "Your medical record is the single most identifiable piece of digital information about you besides your own fingerprint," she says.

In recent activity leveraging the healthcare sector's inherent weaknesses, Vice Society received initial access to victims that previously had been infected with the Gootloader backdoor-loader. Then it deployed tools including the Supper backdoor, AnyDesk's remote monitoring and management (RMM) solution, and MEGA's data synchronization tool, the latter two of which are legitimate commercial products. The group used Remote Desktop Protocol (RDP) to perform lateral movement in affected networks, and abused the Windows Management Instrumentation (WMI) provider host to drop Inc ransomware.

The Rise of Inc Ransomware

Active since last summer, the Inc ransomware-as-a-service (RaaS) operation has earned plenty of headlines for its compromises of particularly large organizations — Xerox and Scotland's National Health Service (NHS), among others. And its modus operandi fits the scope of its ambition, says Jason Baker, threat intelligence consultant for GuidePoint Security.

"The aspect of Inc affiliates in particular that makes them stand out is that they have a very structured way of working through the negotiations process. There's no winging it. There are no off-the-cuff remarks. Agitation and threats are kept relatively minimal," he recalls from dealing with them firsthand.

"It's like the difference between somebody robbing a bank and somebody sticking somebody up in an alley. You can tell when somebody's put thought into [an attack] and knows what they're doing," he says.

As Dark Reading reported last month, Inc's malware leaked information about the nature and success of its data encryption. Though this could potentially lend defenders a leg up in remediation and potential negotiations with its affiliates, Baker warns that the reality is more complicated, especially when it comes to healthcare.

"If an organization knows that they can recover, and that they don't need a decryptor, that substantially decreases the feeling that they need to pay a ransom," he notes. "But where it's complicated is in modern double extortion, particularly if there's sensitive personally identifiable health information (PHI), or if there's sensitive intellectual property involved. There's a reason why the double extortion methodology has stuck around for as long as it has: It does, to some extent, overcome even an ability to recover."