From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware

MITRE Techniques

• [T1566 ] Phishing – Initial access via spear phishing used by affiliates to enter victim environments (‘spear phishing’).
• [T1078 ] Valid Accounts – Actors used stolen or compromised credentials from Initial Access Brokers and reused valid logins (‘valid account credentials from Initial Access Brokers (IAB)’).
• [T1190 ] Exploit Public-Facing Application – Initial access through exploitation of exposed systems such as Citrix, Fortinet EMS, and SimpleHelp (‘exploitation of vulnerabilities in public-facing applications’).
• [T1016 ] System Network Configuration Discovery – Discovery of networked systems and volumes by iterating drives and checking connectivity (‘GetDriveTypeW’, ‘ping and net commands’).
• [T1047 ] Windows Management Instrumentation / Command and Scripting Interpreter – Command execution and discovery were performed through cmd.exe and PowerShell (‘deploy a base64 encoded script through cmd.exe’).
• [T1003 ] OS Credential Dumping – A modified Veeam credential dumper was used to extract stored credentials (‘The decoded script is found to be a Veeam credential dumper’).
• [T1021.001 ] Remote Services: Remote Desktop Protocol – Lateral movement used RDP to access other systems (‘including remote desktop protocol (RDP)’).
• [T1021.002 ] Remote Services: SMB/Windows Admin Shares – Lateral movement included PsExec-based remote execution (‘PsExec’).
• [T1489 ] Service Stop – Used tools such as PsKill and custom terminators to kill EDRs and processes (‘used different tools to kill EDRs’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Dropped vulnerable drivers and terminated security tooling to weaken defenses (‘drops vulnerable drivers … and installs them as a service’).
• [T1027 ] Obfuscated Files or Information – Payloads were packed with VMProtect and encoded notes/scripts were embedded in Base64 (‘heavily packed and protected by VMProtect’, ‘Base64-encoded string’).
• [T1219 ] Remote Access Software – Commercial tools were used for C2 and remote control (‘Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer’).
• [T1041 ] Exfiltration Over C2 Channel – Staged data was compressed and uploaded to attacker-controlled cloud storage using rclone (‘upload the archives to attacker-controlled cloud storage using rclone’).
• [T1486 ] Data Encrypted for Impact – Files were encrypted across the environment with configurable partial encryption (‘run the encryptor across the environment’).
• [T1490 ] Inhibit System Recovery – Shadow copies were deleted to hinder recovery (‘Successfully deleted shadow copies’).
• [T1046 ] Network Service Scanning – The malware scanned for active printers and other network assets (‘scans the compromised network for active printers’).
• [T1565.001 ] Stored Data Manipulation: Data Encrypted – The malware appended .INC to files and used file footers to mark encrypted data (‘appends ‘.INC’ extension to all encrypted files’).
• [T1070.004 ] File Deletion – The payload removed or overwrote artifacts such as shadow copies and notes during execution (‘while deleting shadow copies’).
• [T1091 ] Replication Through Removable Media – Not directly confirmed; no direct use beyond removable media discovery, so omit if strict matching is required.