Vanilla Tempest’s Rhysida ransomware attacks foiled

Threat operation Vanilla Tempest, also known as Vice Society and VICE SPIDER, had its malvertising attack campaign targeting Microsoft Teams users with the Rhysida ransomware dismantled by Microsoft earlier this month, reports BleepingComputer.

Microsoft disclosed the quashing of more than 200 certificates used to sign illicit Teams installers uploaded to multiple spoofed domains. Malicious search engine ads and SEO poisoning have been tapped by Vanilla Tempest to lure targets into downloading the fake Teams installers, which facilitated the installation of Oyster malware, also known as Broomstick and CleanUpLoader, and subsequent data theft and payload delivery.

"The threat actor has used various ransomware payloads, including BlackCat, Quantum Locker, and Zeppelin, but more recently has been primarily deploying Rhysida ransomware," said Microsoft.

Numerous industries have already been compromised by Vanilla Tempest since its emergence more than four years ago, with the FBI and Cybersecurity and Infrastructure Security Agency having noted the group's intense targeting of the U.S. education sector following an attack against the Los Angeles School District in 2022.