THREAT ALERT: INC Ransomware

Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including new ransomware actors such as the emergent group INC Ransom. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.

KEY DETAILS

• Targets US & Western Countries: Similar to many other ransomware groups, INC Ransom’s operators appear to mainly target the United States and European countries.
• Partial Encryption: To accelerate encryption, INC ransomware employs partial encryption combined with a multi-threading approach.
• Sharing Lockbit Blog Design: The UI of LockBit’s and INC’s leak blogs carry some key similarities.

WHAT’S HAPPENING?

INC Ransom is a new ransomware group that emerged in August 2023, spreading ransomware with the same name.  From the start of the operation till mid-September of the same year the group leaked the data of more than a dozen victims on their blog similarly to other groups of this type.  The ransomware group exercises double and triple extortion on them.

The INC Ransom group was first observed by security researchers in early August 2023.
The group’s victims are mostly private sector businesses and the also includes a government organization and a charity association. All known victims are exclusively from Western countries with the majority of them from the United States and Europe (a single victim was from Singapore).

Segmentation Of Victims By Industry & Country Of Origin

Throughout the negotiation with the victims, the group publishes a “proof pack” consisting of several photos of private data (employer’s ID, professional charts, etc.), and additional information to motivate their victims to pay. In one case, the actor accused one of the victims of money laundering, implying that the victim had money to pay the ransom of 160,000 USD.  In another case, the threat actor threatened two of the victim's customers to carry out a supply chain attack in case the victim (an IT provider) didn't pay the ransom.  

INC Ransom’s leak blog, besides hosting the published leaks, has light and dark UI options, a feedback box, and a link to the group’s Twitter account. The leaks blog user interface carries some similarities to LockBit 3.0’s Ransomware leak blog; however, as opposed to LockBit, INC does not charge for the leaked data.

LockBit 3.0’s Leak Blog

 INC’s Leak Blog

Meanwhile, the victims have a separate site where the negotiation with the group is done. The site requires them to open a user account with the user ID that has been communicated in the ransom note, and a password of their choice.

INC’s Feedback Box

INC’s Victim Sign In Page

When it comes to modus operandi, INC cases seem to be similar to other ransomware groups. The group uses compromised credentials to gain access to a victim environment and move laterally using RDP (Remote Desktop Protocol). When compromising new machines, another credential theft command occurs using the scripts. Eventually, the operators deploy the ransomware using WMIC and PSEXEC.

In order to exfiltrate data, the group was observed using the MegaSync tool, which has also been used by other ransomware group affiliates.

CYBEREASON RECOMMENDATIONS

The Cybereason Defense Platform is able to detect and prevent INC ransomware infections using multi-layer malware protection that leverages threat intelligence, machine learning, anti-ransomware, next-gen antivirus (NGAV), and Variant Payload Prevention capabilities.

The Cybereason Defense Platform Detects & Prevents INC-related MalOp

The Cybereason GSOC & Security Research teams recommend the following actions in the Cybereason Defense Platform:

• Enable Application Control to block the execution of malicious files.
• Enable Anti-Ransomware in your environment’s policies, set the Anti-Ransomware mode to Prevent, and enable Shadow Copy detection to ensure maximum protection against ransomware.
• Enable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention.
• To hunt proactively, use the Investigation screen in the Cybereason Defense Platform and the queries in the Hunting Queries section to search for machines that are potentially infected with INC Ransomware. 
  • Based on the search results, take further remediation actions, such as isolating the infected machines and deleting the payload file.
    
    

MITRE ATT&CK MAPPING

DOWNLOAD THE FULL THREAT ALERT

This blog post is the summary of a full 20-page Threat Alert, which can be downloaded here.  

About the Authors

Marina Popelov, Security Analyst, Security Research Team

She began her career in the military forces as an open source intelligence analyst (OSInt) analyst and today specializes in web and dark web intelligence. 

Eli Salem, Security & Malware Researcher, Security Research Team

Eli is a Security and malware reverse engineer at Cybereason. He has worked in the private sector of the cybersecurity industry since 2017. In his free time, he publishes articles about malware research and threat hunting. 

Alon Laufer, Security Researcher, Security Research Team 

Alon Laufer is a Security Researcher at the Cybereason Security Research Team. He began his career in the military forces where he was responsible for protecting critical infrastructure. Alon is interested in malware analysis, digital forensics, and incident response.

Mark Tsipershtein, Security Researcher Security Research Team

Mark Tsipershtein, a cyber security analyst at the Cybereason Security Research Team, focuses on analysis automation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and security testing.