For the first time, a ransomware strain called INC has been used to attack the U.S. healthcare sector by a financially motivated threat actor, according to a recent disclosure from Microsoft.
INC Ransom is a ransomware-as-a-service (RaaS) operation whose affiliates have targeted public and private organizations since July 2023, including Yamaha Motor Philippines, the U.S. division of Xerox Business Solutions (XBS), and, more recently, Scotland's National Health Service (NHS).
INC is also tracked under the name Vice Society, that employs already existing lockers to execute their attacks. While some other threat actors may create custom versions of their own.
Microsoft's threat intelligence team is tracking the activity under the name Vanilla Tempest. From Microsoft, "Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool".
Gootloader is a JScript-based malware family that typically leverages SEO poisoning and compromised websites to lure victims into downloading a ZIP archive that poses as a document that the user has searched for.
Once infected, victims are instructed to contact the threat actors through their portal. Each person is assigned a personal ID for their ransom notes.
To mitigate risks associated with the malicious JScript files used by Gootloader operators, it is recommended to disable automatic execution of JScript files. You can do this by changing the default file associations for .js and .jse files.
Relevance:
New focus on Healthcare, other industries previously impacted.
Recommendations:
To mitigate risks associated with the malicious JScript files used by Gootloader operators, it is recommended to disable automatic execution of JScript files. You can do this by changing the default file associations for .js and .jse files.
Block use of any unnecessary RMMs such as AnyDesk.exe in your environment
References:
Inc. Ransom. (n.d.). SentinelOne. https://www.sentinelone.com/anthology/inc-ransom/
Ravie Lakshmanan. (2024, July 5). GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks. The Hacker News. https://thehackernews.com/2024/07/gootloader-malware-delivers-new.html
Ravie Lakshmanan. “Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector.” The Hacker News, 19 Sept. 2024, thehackernews.com/2024/09/microsoft-warns-of-new-inc-ransomware.html.
How can CyberForce|Q services help you address this risk?
Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365– reach out to solutions@cyberforceq.com.
Learn more about CyberForce|Q.
Comments