INC Ransomware: TTPs, Impact and Mitigation

Imagine the crippling impact of ransomware on your business – data encryption, operational disruption, and the devastating public exposure of sensitive information. This is the reality faced by victims of INC Ransomware, a highly skilled cybercriminal group specializing in double extortion.

INC Ransomware isn’t your average ransomware operation. They are masters of their craft, employing advanced techniques and a multi-stage attack process to maximize their success and the ransom payout. Their attacks aren’t random; they meticulously target organizations with significant financial resources and sensitive data, making them a serious threat to businesses of all sizes. Their double extortion tactic—combining data encryption with the threat of public data release—creates immense pressure, often leading victims to pay exorbitant ransoms.

Understanding the enemy is the first step in effective defense. This comprehensive analysis delves into the inner workings of INC Ransomware, providing crucial insights to help you protect your organization.

The High-Profile Victims of INC Ransomware

INC Ransomware has successfully targeted numerous high-profile organizations, demonstrating their capabilities and reach. Here are just a few of them that came to the surface.

January 29, 2025:

On January 29, 2025, INC made a coordinated effort to launch a wave of attacks targeting multiple organizations:

• Mission Locale Montpellier (France): A youth employment and training organization, compromised via phishing, resulting in data encryption and a ransom demand.
• Boldon James (UK): A data security software company, suffered a data breach with 500GB of sensitive data exfiltrated, demonstrating the group’s ability to target ironically secure organizations.
• City of Beloit (Wisconsin, USA): Municipal operations were disrupted, highlighting the vulnerability of public sector infrastructure.
• Turning Leaf Behavioral Health Services (Michigan, USA): A mental health provider experienced a data breach compromising sensitive patient information.

January 30, 2025:

Heart to Heart Hospice: A significant healthcare provider was attacked, resulting in unauthorized access to sensitive patient data.

Christmas 2024:

Menominee Tribal Clinic (Wisconsin, USA): Services were disrupted, raising concerns about the security of sensitive patient data.

Previous Attacks (Limited Details):

• Trylon: Suffered data encryption and a ransom demand; further details remain undisclosed.
• Springfield: A municipal target experienced a disruption of public services due to a ransomware attack exploiting vulnerabilities in widely used systems.

These attacks shows INC Ransomware’s diverse targeting, impacting various sectors and geographical locations.

INC Ransomware’s Tactics, Techniques, and Procedures (TTPs)

INC Ransomware employs a multi-staged attack process, demonstrating a high level of technical expertise:

1. Initial Access:

• Purchased Credentials: They often acquire valid credentials from Initial Access Brokers (IABs), providing immediate access to networks.
• Spear-phishing: Targeted emails containing malicious attachments or links deliver malware to unsuspecting employees.
• Vulnerability Exploitation: They actively exploit known vulnerabilities, such as CVE-2023-3519 in Citrix NetScaler.

2. Defense Evasion:

• Process Termination: They utilize tools like HackTool.ProcTerminator and ProcessHacker to terminate security software processes, including Trend Micro.

3. Credential Access:

• Credential Dumping: They employ tools to extract credentials from Veeam Backup and Replication Managers.

4. Discovery:

• Network Mapping: Tools like NetScan and Advanced IP Scanner are used to map the network infrastructure.
• File Review: Legitimate tools (Notepad, Wordpad, Paint) are used to view files, and tools like Mimikatz are downloaded from open directories.

5. Lateral Movement:

• Network Traversal: Tools like PSexec, AnyDesk, and TightVNC facilitate movement within the victim’s network.

6. Impact:

• Data Exfiltration: Data is archived with 7-Zip before exfiltration via MegaSync.
• Encryption: AES encryption is used, with varying speeds (fast, medium, slow), and the “.inc” extension (or “{original file name}.{original extension}.INC” in newer versions) is appended to encrypted files.
• Ransom Note Delivery: Ransom notes (INC-README.txt and INC-README.html) are dropped and printed to network printers.

7. Persistence:

• Auto-Execution: Services are added to enable auto-execution in safe mode. The Linux variant uses the --daemon command to detach from its parent process.

Malware and Tools Used by INC Ransomware

INC Ransomware employs a sophisticated toolkit across its multi-stage attack lifecycle. SOCRadar researchers have identified a range of tools and techniques used at each stage, indicating a high level of technical expertise and adaptability. The group leverages both commercially available and custom-built tools, often combining legitimate software for malicious purposes.

Here is a list of tools INC uses at each stage of its operations:

Initial Access:

• Compromised Accounts: INC Ransom gains initial access by exploiting compromised credentials, potentially obtained through phishing campaigns or other credential-harvesting techniques. This allows them to bypass initial security measures and directly access systems.
• Exploitation of Vulnerabilities: The group has been observed exploiting known vulnerabilities, specifically CVE-2023-3519 in Citrix NetScaler. This demonstrates their proactive approach to identifying and leveraging security weaknesses.

Lateral Movement:

• PsExec: This legitimate Windows command-line utility is abused to execute commands on remote systems, enabling the attackers to move laterally across the network and compromise additional machines.
• AnyDesk: This remote desktop software, when compromised, allows attackers to remotely control infected systems, providing persistent access and control over the network.

Discovery:

• NetScan: This network scanning tool aids in identifying active systems and services on the network, providing the attackers with a comprehensive map of the target environment.
• Advanced IP Scanner: Similar to NetScan, this tool helps map the network infrastructure, identifying potential targets for further compromise.
• Mimikatz: This powerful post-exploitation tool is used to extract credentials from memory, allowing the attackers to gain access to additional accounts and elevate their privileges within the network.

Exfiltration:

• MegaSync: This cloud storage synchronization client is used to exfiltrate stolen data, providing a convenient and relatively secure method for transferring large amounts of information.
• 7-Zip: This archiving tool is used to compress stolen data, making exfiltration more efficient and potentially reducing detection.

Defense Evasion:

• HackTool.Win32.ProcTerminator.A: This indicates the use of tools designed to terminate security processes, such as antivirus software or endpoint detection and response (EDR) agents, hindering detection and response efforts.
• HackTool.PS1.VeeamCreds.A: This suggests the use of tools designed to steal credentials from Veeam Backup & Replication software, potentially allowing access to backups and further compromising data recovery efforts.

Credential Dumping:

• Mimikatz: As mentioned previously, Mimikatz is used to extract credentials, providing the attackers with access to a wider range of systems and data.

MITRE ATT&CK Framework Mapping

The INC Ransomware group’s actions align with several MITRE ATT&CK tactics and techniques:

• Initial Access: Spear-phishing (T1566), Exploitation of Public-Facing Application (T1190) – specifically CVE-2023-3519.
• Execution: Command and Scripting Interpreter (T1059) – using tools like wmic.exe and PSExec (disguised as winupd).
• Persistence: Valid Accounts (T1078).
• Privilege Escalation: Exploitation for Privilege Escalation (T1068) – via RDP.
• Defense Evasion: Obfuscated Files or Information (T1027).
• Credential Access: Credential Dumping (T1003).
• Discovery: System Network Configuration Discovery (T1016).
• Lateral Movement: Remote Services: Remote Desktop Protocol (T1021.001).
• Collection: Data Staged (T1074).
• Exfiltration: Data Encrypted for Impact (T1486).
• Command and Control: Ingress Tool Transfer (T1105).
• Impact: Data Destruction (T1485).

Protecting Your Organization from INC Ransomware

Given the sophistication and adaptability of INC Ransomware, a comprehensive, multi-layered security approach is paramount. Relying on a single security measure is insufficient; a robust defense requires a combination of preventative, detective, and responsive strategies.

1. Strengthen Email Security:

• Robust Spam Filtering and Anti-Phishing: Implement advanced spam filters and anti-phishing solutions capable of detecting and blocking malicious emails, including those employing sophisticated social engineering techniques. This should include sandboxing capabilities to analyze suspicious attachments and URLs in a safe environment.
• Security Awareness Training: Regular and engaging security awareness training for all employees is crucial. Training should focus on identifying and reporting phishing attempts, recognizing malicious links and attachments, and understanding safe browsing practices. Simulations and phishing tests can help assess employee preparedness.
• Advanced Threat Protection: Deploy advanced threat protection solutions that utilize machine learning and artificial intelligence to identify and block sophisticated email-borne threats, including those that bypass traditional spam filters. This may involve analyzing email content, attachments, and sender reputation.

2. Proactive Patch Management:

• Regular Patching: Implement a robust patch management system that ensures all software and applications, including operating systems, applications, and network devices, are regularly updated with the latest security patches. This is critical to mitigating vulnerabilities exploited by INC Ransomware, such as CVE-2023-3519.
• Vulnerability Scanning: Regularly scan your systems for vulnerabilities using automated vulnerability scanners. Prioritize patching critical vulnerabilities identified through these scans.
• Automated Patch Deployment: Where possible, automate the patch deployment process to ensure timely and consistent patching across your entire infrastructure.

3. Network Segmentation and Access Control:

• Network Segmentation: Implement network segmentation to isolate critical systems and data from less sensitive areas. This limits the lateral movement of attackers within your network, reducing the potential impact of a successful breach.
• Principle of Least Privilege: Enforce the principle of least privilege, granting users only the necessary access rights to perform their job functions. This minimizes the damage caused by compromised accounts.
• Multi-Factor Authentication (MFA): Mandate MFA for all user accounts, especially those with administrative privileges. MFA adds an extra layer of security, making it significantly harder for attackers to gain access even if they have obtained usernames and passwords.

4. Endpoint Detection and Response (EDR):

• Real-time Monitoring: Deploy a comprehensive EDR solution to provide real-time monitoring of endpoint devices for malicious activity. EDR solutions can detect suspicious behavior, such as fileless malware execution or unusual network connections, enabling rapid response and containment.
• Threat Hunting: Proactively hunt for threats within your environment using EDR capabilities. This proactive approach can identify and neutralize threats before they can cause significant damage.
• Incident Response Capabilities: Ensure your EDR solution has robust incident response capabilities, allowing for rapid isolation and remediation of compromised endpoints.

5. Robust Data Backup and Recovery:

• Regular Backups: Implement a robust backup and recovery strategy, regularly backing up critical data to offline, immutable storage. This ensures data can be restored even if your systems are encrypted.
• Backup Testing: Regularly test your backups to ensure they are functional and can be restored successfully.
• Offline Storage: Store backups offline, ideally in a geographically separate location, to protect them from ransomware attacks.

6. Comprehensive Incident Response Planning:

• Develop a Plan: Develop a detailed incident response plan that outlines procedures for identifying, containing, eradicating, and recovering from a ransomware attack. This plan should include communication protocols, roles and responsibilities, and recovery procedures.
• Regular Testing: Regularly test your incident response plan through tabletop exercises and simulations to ensure its effectiveness and identify areas for improvement.
• Collaboration: Establish communication channels with external partners, such as law enforcement and cybersecurity experts, to ensure effective collaboration during an incident.

FAQs

Q: What is INC Ransomware?

A: INC Ransomware is a sophisticated ransomware group known for its targeted attacks and double extortion tactics, combining data encryption with the threat of public data release.

Q: How does INC Ransomware infiltrate networks?

A: INC Ransomware uses spear-phishing emails, exploits vulnerabilities like CVE-2023-3519, and purchases compromised credentials to gain initial access.

Q: What industries are most targeted by INC Ransomware?

A: Professional services, manufacturing, and construction sectors are primary targets, with a significant focus on the United States.

Q: How can I protect my organization from INC Ransomware?

A: Implementing robust security measures such as strong email security, regular patching, network segmentation, EDR solutions, regular backups, and a comprehensive incident response plan is crucial.

This detailed analysis provides a comprehensive understanding of the INC Ransomware threat. By proactively implementing these security measures, organizations can significantly reduce their risk of becoming victims of this sophisticated ransomware group. Remember, prevention is always better than cure when it comes to cybersecurity.