Threat Research

INC Ransomware: The Latest Linux Threat

CTI

SonicWall Capture Labs analyzed a Linux ELF ransomware sample named INC Ransomware, active for about a year. The malware encrypts files (appending “INC” to filenames), disables or terminates VMware ESXi VM processes via ESXi-focused scripts, defaces the MOTD, and drops ransom notes, including a victims blog page. #INCRansomware #VMwareESXi

Keypoints

  • INC Ransomware is a Linux ELF-based threat that has been active for about a year.
  • It accepts command-line parameters to drive its behavior and operations.
  • Files encrypted by the ransomware have “INC” appended to their names.
  • It creates shell scripts named “kill” and “delete” to terminate and delete VMware ESXi virtual machines.
  • Ransom notes are dropped in encrypted directories and the MOTD is altered to display the ransom message.
  • A ransom blog page purportedly listing victims is surfaced as part of the attack infrastructure.
  • SonicWall detects and protects against this threat with a LinuxINC.RSM signature and other endpoint/ATP detections.

MITRE Techniques

  • [T1059.004] Command and Scripting Interpreter – Unix Shell – The malware uses Unix shell scripting for its malicious activities, including creating shell scripts named “kill” and “delete” to terminate and delete virtual machines in an ESXi environment, using esxcli and vim-cmd commands, respectively. ‘The INC Ransomware uses Unix shell scripting for its malicious activities. It creates shell scripts named “kill” and “delete” to terminate and delete virtual machines if running in an ESXi environment, utilizing esxcli and vim-cmd commands, respectively.’
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files on the infected Linux machine, appending “INC” to the file names. ‘The ransomware encrypts files on the infected Linux machine, appending “INC” to the file names.’
  • [T1070.004] Indicator Removal on Host: File Deletion – It uses shell scripts to delete virtual machines in an ESXi environment. ‘uses shell scripts to delete virtual machines in an ESXi environment.’
  • [T1491.001] Defacement: Internal Defacement – The ransomware modifies the Message of the Day (MOTD) on infected systems to display the ransom note upon login. ‘The ransomware modifies the Message of the Day (MOTD) on infected systems to display the ransom note upon login.’
  • [T1498] Network Denial of Service – The ransomware can potentially cause a denial of service by killing virtual machine processes, leading to significant disruption in virtualized environments. ‘The ransomware can potentially cause a denial of service by killing virtual machine processes, leading to significant disruption in virtualized environments.’

Indicators of Compromise

  • [File Name] Malware-created artifacts – kill, delete – The malware creates shell scripts named “kill” and “delete” to terminate and delete virtual machines in ESXi environments, and drops ransom notes in directories where files are encrypted.
  • [MOTD/System File] MOTD modification – The MOTD is altered to display the ransom note upon login as part of the attack.

Read more: https://blog.sonicwall.com/en-us/2024/06/inc-ransomware-the-latest-linux-threat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint