INC Ransomware: Master of Double Extortion

Overview

INC Ransomware is a sophisticated and relatively new cybercriminal group known for its targeted ransomware attacks against corporate and organizational networks. They exhibit a high level of technical expertise, employing advanced techniques and a multi-staged attack process to maximize their chances of success and the potential ransom payout. Their operations involve data theft and the threat of public release (double extortion), significantly increasing pressure on victims to comply with their demands. Their targets are carefully selected, focusing on entities with substantial financial resources and sensitive data.

Known Aliases of INC Ransomware

INC Ransomware. Currently, no other aliases for the INC Ransomware group are publicly known.

Country of Origin of INC Ransomware

The country of origin for INC Ransomware is currently unknown. While their attacks have predominantly targeted organizations in North America and Europe, this does not definitively indicate their location.

Known High-Profile Attacks Victims/Most Recent Attacks Involving INC Ransomware

The majority of their victims are in the Professional Services, Manufacturing, and Construction sectors, with the United States accounting for 57.9% of their targets.

• Trylon: This company was targeted by the INC Ransom group, which encrypted sensitive data and demanded a ransom. Details about the breach remain limited.
• Springfield: The city faced a ransomware attack that disrupted public services. The attack exploited vulnerabilities in widely used systems, showcasing the group’s ability to target municipal entities.
• Mission Locale Montpellier: This French organization, dedicated to youth employment and training, was attacked on January 29, 2025. The ransomware group gained access through phishing emails, encrypting critical data and demanding a ransom.
• Boldon James: A UK-based software company specializing in data security, Boldon James fell victim to INC Ransom on January 29, 2025. The attackers exfiltrated 500GB of sensitive data, emphasizing the group’s focus on industries handling critical information.
• City of Beloit: This Wisconsin city was targeted on January 29, 2025. The attack disrupted municipal operations and highlighted vulnerabilities in public sector cybersecurity.
• Menominee Tribal Clinic: This healthcare facility in Wisconsin was attacked over Christmas 2024. The ransomware disrupted services and raised concerns about the security of sensitive patient data.
• Heart to Heart Hospice: A prominent hospice care provider, this organization was attacked on January 30, 2025. The breach involved unauthorized access to sensitive patient data.
• Turning Leaf Behavioral Health Services: This Michigan-based mental health service provider was targeted on January 29, 2025. The attack compromised sensitive data.

Common Methods of Infiltration Used by INC Ransomware

INC Ransomware primarily uses two methods for initial access:

1. Spear-phishing: Targeted emails are sent to employees, containing malicious attachments or links designed to deliver malware.
2. Exploitation of Vulnerabilities: The group actively seeks and exploits known vulnerabilities in publicly accessible applications, such as the CVE-2023-3519 vulnerability in Citrix NetScaler.

Exploitation Techniques Used by INC Ransomware

INC ransomware employs a multi-stage attack process:

• Initial Access: Purchased valid credentials (often from Initial Access Brokers), phishing, and exploitation of vulnerabilities like CVE-2023-3519.
• Defense Evasion: Uses tools like HackTool.ProcTerminator, ProcessHacker, and a newer tool specifically designed to terminate Trend Micro processes.
• Credential Access: Employs tools to dump credentials from Veeam Backup and Replication Managers.
• Discovery: Uses network scanning tools like NetScan and Advanced IP Scanner to map the network. It also uses legitimate tools (Notepad, Wordpad, Paint) to view files and downloads tools like Mimikatz from open directories.
• Lateral Movement: Uses tools like PSexec, AnyDesk, and TightVNC to move within the victim’s network.
• Impact: Archives data with 7-Zip before exfiltration via MegaSync. It uses AES encryption with varying speeds (fast, medium, slow) and appends the “.inc” extension (or “{original file name}.{original extension}.INC” in newer versions) to encrypted files. It also drops ransom notes (INC-README.txt and INC-README.html) and prints them to network printers.
• Persistence: Adds services to enable auto-execution in safe mode. The Linux variant uses the --daemon command to detach from its parent process

INC Ransomware MITRE ATT&CK Tactics and Techniques

• Initial Access:
  • Spear-phishing (T1566)
  • Exploitation of Public-Facing Application (T1190) – specifically CVE-2023-3519 in Citrix NetScaler
• Execution:
  • Command and Scripting Interpreter (T1059) – using tools like wmic.exe and PSExec (disguised as winupd)
• Persistence:
  • Valid Accounts (T1078) – leveraging compromised RDP credentials
• Privilege Escalation:
  • Exploitation for Privilege Escalation (T1068) – via RDP
• Defense Evasion:
  • Obfuscated Files or Information (T1027) – disguising tools like PSExec
• Credential Access:
  • Credential Dumping (T1003) – potentially using tools like lsassy.py
• Discovery:
  • System Network Configuration Discovery (T1016) – using tools like NETSCAN.EXE and Advanced IP Scanner
• Lateral Movement:
  • Remote Services: Remote Desktop Protocol (T1021.001) – using tools like AnyDesk.exe
• Collection:
  • Data Staged (T1074) – using tools like 7-Zip and MEGASync
• Exfiltration:
  • Data Encrypted for Impact (T1486) – deploying custom ransomware
• Command and Control:
  • Ingress Tool Transfer (T1105) – using MEGASync and AnyDesk.exe
• Impact:
  • Data Destruction (T1485) – encrypting data

Malware/Ransomware Strain(s) Used by INC Ransomware

• Initial Access: Compromised accounts, CVE-2023-3519
• Lateral Movement: PsExec, AnyDesk
• Discovery: NetScan, Advanced IP Scanner, Mimikatz
• Exfiltration: MegaSync, 7-Zip
• Defense Evasion: HackTool.Win32.ProcTerminator.A, HackTool.PS1.VeeamCreds.A
• Credential Dumping: Mimikatz
• Impact: INC ransomware itself