Ransomware group Vanilla Tempest, formerly known as DEV-0832, is reportedly targeting healthcare providers in the United States by deploying the the INC ransomware service.
Security leaders weigh in
John Bambenek, President at Bambenek Consulting:
“This research focuses on a group that uses various ransomware strains as opposed to focusing on one toolset. The use of INC specifically dates to 2023, and several other security companies have reported on both the tool and its use against health care organizations. This report is a deeper dive on the threat actors, as opposed to tooling, and gives us better insight into what this group is thinking.”
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security:
“The rise of Vanilla Tempest, particularly with its latest INC ransomware attacks, marks a continuation of the healthcare sector’s growing vulnerability to ransomware-as-a-service (RaaS) operations. While the tactics used — like lateral movement through RDP and the deployment of legitimate tools — are not groundbreaking, what stands out is the persistent focus on healthcare. Threat actors like ALPHV/BlackCat have long exploited the sector’s aging infrastructure and critical dependence on sensitive data, and Vanilla Tempest is following suit with similar, albeit diverse, ransomware strains.
“In the larger threat environment, Vanilla Tempest’s focus on healthcare fits into a broader pattern of attackers leveraging increasingly sophisticated ransomware strains to exploit the sector’s vulnerabilities. Threat actors like ALPHV/BlackCat have shown that the industry’s aging infrastructure and heavy reliance on sensitive data make it an attractive target. For security teams, this signals that while the techniques may not be new, the diversity and persistence of attackers are growing. Prioritizing stronger network segmentation, real-time monitoring and full compliance with regulations like HIPAA is crucial to staying ahead of these evolving threats.
“Given the resource limitations that healthcare facilities often face, investing in scalable, cost-effective solutions like zero trust Privileged Access Management (PAM) can make a big difference. These tools allow organizations to enforce strict access controls, minimizing risk by preventing unauthorized lateral movement during an attack. By offering granular control over user permissions and detecting suspicious activity early, PAM solutions help healthcare organizations mitigate the impact of ransomware while maintaining smooth operations.”
Mr. Balazs Greksza, Threat Response Lead at Ontinue:
“Microsoft reported that Vanilla Tempest gains access to healthcare sector victims through Storm-0494 via Gootloader — typically through drive-by-compromise and search ads. Gootloader’s techniques are well documented, typically involving malicious Javascript, and maintaining persistence through scheduled tasks. In the most recent campaigns, defenders can expect the use of RDP or AnyDesk, and MEGA uploads and try detection and mitigating measures.
“The encrypted files with .inc extension have been padded with a footer that reveals information about the encryption modes used (full or partial). Depending on the mode, it may be possible to recover some files without the need of a decryptor.
“On the recent RaaS offer, the INC encryptor was advertised using the aes-ctr-128 /curve25519-donna cryptographic algorithms for encryption, both of which are somewhat dated.”
