Microsoft has taken decisive action to disrupt a ransomware campaign linked to the notorious hacking group Vanilla Tempest, also known as Vice Spider or Vice Society. The company revealed that it revoked more than 200 digital certificates that the attackers had been using to sign malicious files used in the distribution of Rhysida ransomware.
According to Microsoft, the attackers disguised their malware as legitimate Microsoft Teams setup files to deceive victims. These fake installers were hosted on deceptive domains such as “teams-download.buzz” and “teams-install.run,” and victims were likely led there through SEO poisoning tactics. Once installed, the malware deployed a backdoor known as Oyster, granting the attackers remote access to compromised systems and paving the way for Rhysida ransomware deployment.
Vanilla Tempest has been active since 2021, primarily targeting the education and healthcare sectors. Previously associated with other ransomware strains like BlackCat, Quantum Locker, and Zeppelin, the group has shifted its focus to Rhysida in recent months. Vice Society’s original leak site went dark in 2023, coinciding with the rise of Rhysida operations, a connection that cybersecurity experts have long suspected.
Microsoft’s security team discovered that the hackers were using legitimate signing services such as Trusted Signing, SSL.com, DigiCert, and GlobalSign to make their malicious software appear authentic. By revoking these fraudulent certificates, Microsoft has effectively made it easier for defenders to detect and block the group’s malware.
The tech giant noted that the immediate disruption is likely to slow down the attackers’ operations, but warned that Vanilla Tempest could retool with new certificates and slightly modified attack chains. “Our intervention significantly reduces the effectiveness of this campaign,” Microsoft said, adding that it will continue monitoring the group’s evolving tactics.
Cybersecurity analysts emphasize that this campaign highlights a growing trend of threat actors exploiting legitimate certificate authorities to evade detection. The abuse of digital signatures makes malicious files look trustworthy, enabling attackers to bypass security systems and trick users into downloading harmful software.
While Microsoft’s revocation move represents a strong blow to the campaign, experts caution that such measures offer only temporary relief unless organizations maintain strict software validation and endpoint protection protocols. Ransomware groups like Vanilla Tempest are adaptive and will likely continue evolving their methods to maintain persistence and profitability.
