Threat Research

THREAT ALERT: INC Ransomware

Securonix

INC Ransom is a newly identified ransomware actor that emerged in August 2023, targeting mainly US and Western organizations with double and triple extortion and partial encryption. Cybereason Threat Alerts detail its operations, blog-leak activity, and how the group gains access, moves laterally, and exfiltrates data using a mix of traditional tools and a bespoke leak blog. #INCRansomware #LockBit #RDP #MegaSync #PSEXEC #WMIC #DoubleExtortion

Keypoints

  • INC Ransom emerged in August 2023 and has leaked data from more than a dozen victims, focusing on private-sector firms, a government organization, and a charity, mostly in the US and Europe.
  • Partial encryption is used to speed up the process, employing a multi-threading approach to encrypt data.
  • The group conducts double and triple extortion and publishes “proof packs” from victims to pressure payment.
  • The leak/blog design shows similarities to LockBit 3.0’s blog, but INC does not charge for leaked data.
  • Initial access relies on compromised credentials, with lateral movement via Remote Desktop Protocol (RDP).
  • Ransomware deployment uses WMIC and PsExec, and data exfiltration has been observed via MegaSync.

MITRE Techniques

  • [T1078] Valid Accounts – Uses compromised credentials to gain access to a victim environment. Quote: [‘uses compromised credentials to gain access to a victim environment and move laterally using RDP.’]
  • [T1021.001] Remote Services – Remote Desktop Protocol – Move laterally within the network using RDP. Quote: [‘move laterally using RDP.’]
  • [T1047] Windows Management Instrumentation – Deploy the ransomware using WMIC. Quote: [‘deploy the ransomware using WMIC and PSEXEC.’]
  • [T1059] Command and Scripting Interpreter – Credential theft command occurs using the scripts. Quote: [‘another credential theft command occurs using the scripts.’]
  • [T1567.002] Exfiltration to Cloud Storage – Exfiltrates data via MegaSync tool. Quote: [‘exfiltrate data, the group was observed using the MegaSync tool.’]
  • [T1486] Data Encrypted for Impact – Partial encryption used to accelerate encryption. Quote: [‘Partial Encryption: To accelerate encryption.’]

Indicators of Compromise

  • [SHA256] INC Ransomware Binary – fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced

Read more: https://www.cybereason.com/blog/threat-alert-inc-ransomware