Threat Research

Dark Web Profile: INC Ransom – SOCRadar® Cyber Intelligence Inc.

SocRadar

INC Ransom is a new, highly sophisticated ransomware group targeting corporate networks with double extortion. Their operation blends spear-phishing and exploitation of CVE-2023-3519 in Citrix NetScaler with legitimate tools for recon, lateral movement, data staging, and rapid encryption. #INCRansom #CVE20233519

Keypoints

  • INC Ransom is a relatively new but highly capable ransomware group focusing on high-value corporate targets with potential for significant ransom payouts.
  • Initial access commonly relies on spear-phishing and exploiting CVE-2023-3519 in Citrix NetScaler.
  • The attackers rely on a mix of commercial off-the-shelf software (COTS) and LOLBINs for recon and internal movement (e.g., NETSCAN.EXE, MEGAsyncSetup64.EXE, ESENTUTL.EXE, AnyDesk).
  • Data collection and staging are performed with tools like 7-Zip and MEGASync, with light-use of native apps (Wordpad/Notepad/MSPaint) to inspect content.
  • Lateral movement and credential access involve Advanced IP Scanner and lsassy.py, indicating credential dumping and network exploration.
  • Encryption is deployed via wmic.exe and PSExec (disguised as winupd), with evidence of debugging and adaptation when deployment is blocked on some servers.
  • Incidents are showcased on a TOR site with leaks and victim announcements, including detailed leak pages for victims and a related incapt blog.
  • Target sectors include Professional Services, Manufacturing, and Construction, with most victims in the United States and Europe.

MITRE Techniques

  • [T1566] Spear-Phishing – Gains initial access through targeted emails. ‘Gains initial access through targeted emails.’
  • [T1190] Exploitation of Public-Facing Application – Exploiting known vulnerabilities in public-facing applications. ‘Exploiting known vulnerabilities in public-facing applications.’
  • [T1059] Command and Scripting Interpreter – Uses command-line tools to execute scripts for ransomware deployment. ‘Uses command-line tools to execute scripts for ransomware deployment.’
  • [T1078] Valid Accounts – Maintains access using Remote Desktop Protocol with stolen credentials. ‘Maintains access using Remote Desktop Protocol with stolen credentials.’
  • [T1068] Exploitation for Privilege Escalation – Escalates privileges through compromised Remote Desktop Protocol connections. ‘Escalates privileges through compromised Remote Desktop Protocol connections.’
  • [T1027] Obfuscated Files or Information – Hides its activities by disguising tools and commands. ‘Hides its activities by disguising tools and commands.’
  • [T1003] Credential Dumping – Extracts credentials from the systems they compromise. ‘Extracts credentials from the systems they compromise.’
  • [T1016] System Network Configuration Discovery – Scans the network to discover configurations and connected systems. ‘Scans the network to discover configurations and connected systems.’
  • [T1021.001] Remote Services: Remote Desktop Protocol – Moves within the network, often using remote desktop software. ‘Moves within the network, often using remote desktop software.’
  • [T1074] Data Staged – Collects and stages data for exfiltration using archival and file transfer tools. ‘Collects and stages data for exfiltration using archival and file transfer tools.’
  • [T1105] Ingress Tool Transfer – Uses legitimate tools for command and control activities. ‘Uses legitimate tools for command and control activities.’
  • [T1486] Data Encrypted for Impact – Encrypts files for ransom, and may exfiltrate data for double extortion. ‘Encrypts files for ransom, and may exfiltrate data for double extortion.’
  • [T1485] Data Destruction – Destroys or encrypts data, rendering it inaccessible. ‘Destroys or encrypts data, rendering it inaccessible.’

Indicators of Compromise

  • [File] NETSCAN.EXE – Used for network scanning during initial reconnaissance. – NETSCAN.EXE
  • [File] MEGAsyncSetup64.EXE – Used for file sharing and synchronization during recon and staging. – MEGAsyncSetup64.EXE
  • [File] ESENTUTL.EXE – Used for database management and internal discovery. – ESENTUTL.EXE
  • [File] AnyDesk.exe – Used for remote desktop control during infiltration. – AnyDesk.exe
  • [File] LSASSY.PY – Used for credential dumping from compromised systems. – lsassy.py
  • [Vulnerability] CVE-2023-3519 – Exploited vulnerability in Citrix NetScaler to gain access. – CVE-2023-3519
  • [File] wmic.exe – Used to deploy ransomware across endpoints. – wmic.exe
  • [File] PSExec – Disguised as winupd to deploy ransomware. – PSExec

Read more: https://socradar.io/dark-web-profile-inc-ransom/