Ransomware incidents are increasing, with a recent attack targeting American healthcare institutions by a well-known cybercrime group.
Vice Society, also known as Vanilla Tempest by Microsoft, has been active since July 2022. This Russian-speaking group has utilized various ransomware strains in its double extortion tactics, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin (including a custom version), and its own proprietary ransomware.
In a series of updates on X, the Microsoft Threat Intelligence Center (MSTIC) highlighted the group's latest weapon: Inc ransomware.
"Vanilla Tempest is one of the most active ransomware operators that MSTIC monitors," said Jeremy Dallman, MSTIC's senior director of threat intelligence. "While they have been targeting healthcare for some time, their recent adoption of the Inc ransomware payload marks a significant shift as they increasingly engage with the broader ransomware-as-a-service (RaaS) ecosystem."
Although Vice Society targets multiple industries, including IT and manufacturing, it is primarily known for its campaigns against education and healthcare. This aligns with broader cybersecurity trends. According to Check Point Research, healthcare remains the most frequently targeted sector by ransomware. In fact, healthcare organizations worldwide face an average of 2,018 attacks per week, representing a 32% increase compared to the previous year.
Cindi Carter, Check Point's CISO for the Americas, explains the appeal to cybercriminals. "Healthcare organizations are often plagued by outdated legacy technology and bureaucratic hurdles, making them easy targets. Additionally, the data these organizations collect is highly valuable," she states. "A medical record is one of the most identifiable pieces of digital information about a person, second only to a fingerprint."
In its recent healthcare exploits, Vice Society gained initial access through systems already compromised by the Gootloader backdoor. The group subsequently deployed tools such as the Supper backdoor, AnyDesk’s remote monitoring software, and MEGA’s data synchronization service—both legitimate products. They utilized Remote Desktop Protocol (RDP) for lateral movement and exploited Windows Management Instrumentation (WMI) to drop Inc ransomware within infected networks.
Inc ransomware has been operational since last summer, making headlines for attacking large organizations, including Xerox and Scotland's National Health Service (NHS). Jason Baker, a threat intelligence consultant with GuidePoint Security, notes that the organized nature of Inc ransomware affiliates sets them apart.
"The most distinct aspect of Inc affiliates is their systematic approach during the negotiation process," Baker says, drawing from his own experiences. "They don’t make off-the-cuff remarks or resort to empty threats. Everything is methodical."
Baker likens it to the difference between a well-planned bank robbery and a spontaneous street mugging. "You can tell when someone has put serious thought into their attack and knows exactly what they're doing," he adds.
According to a report from Dark Reading, Inc’s malware recently leaked details about its encryption methods, potentially giving defenders an advantage. However, Baker warns that the reality is far more nuanced, especially in the healthcare sector.
"If an organization realizes it can recover data without needing a decryptor, it reduces their incentive to pay the ransom," he explains. "But the situation becomes more complex in double extortion scenarios, especially when sensitive personally identifiable health information (PHI) or intellectual property is involved. That’s why double extortion remains effective—it adds pressure, even if recovery is possible."
