INC Ransomware

INC Ransomware is a relatively new ransomware and data extortion operation that emerged in July 2023. This threat actor has quickly gained notoriety for its multi-extortion tactics, targeting a wide range of industries globally. Unlike some ransomware groups that focus on encrypting data, INC Ransomware emphasizes both data encryption and data theft. This double extortion approach significantly increases pressure on victims, as they face not only the disruption of their operations but also the threat of sensitive data being leaked publicly if the ransom is not paid. The group has even claimed to offer "security advice" to victims after payment, a likely deceptive tactic aimed at maximizing profits.

Origins & Evolution

INC Ransomware first appeared in July 2023, making it a relatively recent entrant to the ransomware landscape. While the exact origins of the group remain unknown, the rapid deployment and sophistication of their attacks suggest a level of experience and planning. The group's initial tactics involved exploiting vulnerabilities in internet-facing services, particularly CVE-2023-3519 in Citrix NetScaler, as well as using spear-phishing campaigns to gain initial access.

There is strong evidence linking INC Ransomware to the leaked source code of Babuk ransomware. This connection is suggested by various researchers and has been observed to the level of code reuse, for example in the later Lynx variant (which appeared in July 2024).

The availability of INC Ransomware's source code on the criminal underground market (as early as March 2024) suggests that further variants based on this codebase are likely to emerge. This proliferation of variants poses an ongoing challenge to cybersecurity professionals. The Lynx variant shares a significant portion of its source code with INC, further suggesting a direct lineage. Analysis shows a 48% overlap in functions between the two ransomware families, with a 70.8% similarity in those shared functions.

Tactics & Techniques

INC Ransomware employs a multi-stage attack methodology, demonstrating a combination of technical expertise and social engineering skills. Their tactics, techniques, and procedures (TTPs) can be broken down into the following key stages:

* Spear-phishing: Targeted emails containing malicious attachments or links are used to trick users into executing malware or providing credentials.

* Vulnerability Exploitation: Known vulnerabilities, such as CVE-2023-3519 (Citrix NetScaler) and CVE-2023-48788 (Fortinet EMS server SQL injection), are exploited to gain access to internet-facing systems.

* Compromised Credentials: Stolen or weak credentials may be used to gain access to systems.

* RDP (Remote Desktop Protocol)

* COTS (Commercial Off-The-Shelf) Tools: Legitimate software, such as NETSCAN.EXE (network scanning), MEGAsyncSetup64.EXE (file sharing), ESENTUTL.EXE (database utility), and AnyDesk.exe (remote desktop), are used for reconnaissance, data exfiltration, and maintaining access.

* LOLBINs (Living Off The Land Binaries): System tools like wmic.exe and PSExec (often disguised, e.g., as winupd) are used to execute commands and deploy the ransomware across multiple endpoints.

* Impacket Tools: Python tools like secretsdump.py, smbexec, and wmiexec are likely used for credential harvesting and lateral movement.

* Pass-the-Hash: Credentials are used to gain access to the network and then moved to other areas.

* BYOVD (Bring Your Own Vulnerable Driver): The group uses vulnerable drivers (e.g., "wnbios.sys") and tools like "disabler.exe" to escalate privileges and bypass EDR solutions.

* Safe Mode Boot: The --safe-mode command-line argument forces a system reboot into Safe Mode, potentially bypassing security software.

* Service Creation: Persistence is achieved by creating a new service (e.g., "dmksvc") configured for automatic startup, pointing directly to the malware file.

* MEGA Sync: The MEGA file sharing service (MEGAsyncSetup64.EXE) is a common tool used for data exfiltration.

* Restic: The Restic backup utility has been observed being used for data exfiltration.

* Partial Encryption: INC Ransomware employs partial encryption, combined with multi-threading, to speed up the encryption process. This approach can be more efficient and potentially less detectable than full disk encryption.

* File Extension: Encrypted files are typically appended with a specific extension (e.g., .lynx in the case of the Lynx variant).

* Process Termination: The ransomware terminates specific processes related to databases, backups, email servers, and Java to ensure files are accessible for encryption and to hinder recovery.

* Volume Shadow Copy Deletion: Attempts are made to delete Volume Shadow Copies (VSS) to prevent data recovery.

* Recycle Bin Clearing: The recycle bin is emptied to remove traces of deleted files and hinder forensic investigation.

* Ransom Notes: Ransom notes (INC-README.TXT, INC-README.HTML) are dropped in every folder with encrypted files, directing victims to a TOR-based portal for communication. The HTML note is often printed to connected printers/fax machines.

* Command-Line Arguments: The ransomware supports various command-line arguments to customize its behavior, including targeting specific files/directories (-file, -dir), stopping processes (-sup), encrypting network shares (-ens), encrypting hidden drives (-lhd), and enabling debug logging (-debug). The -lhd argument is particularly dangerous, as it can render the device unbootable.

Targets or Victimology

INC Ransomware demonstrates a broad targeting strategy, impacting organizations across numerous industries and geographic locations. While seemingly indiscriminate in its selection of victims, the group tends to focus on organizations with the capacity to pay substantial ransoms and those possessing sensitive data.

Targeted Industries:

Geographic Focus:

The targeting of critical infrastructure sectors like healthcare and government highlights the group's willingness to cause significant disruption.

Attack Campaigns

Several notable attack campaigns have been attributed to INC Ransomware:

Defenses

Protecting against INC Ransomware and its variants requires a multi-layered approach, combining preventative measures, detection capabilities, and incident response planning.

Generic Defense Strategies:

INC Ransomware-Specific Defenses:

Conclusion

INC Ransomware represents a significant and evolving threat to organizations worldwide. Its double extortion tactics, combined with its technical sophistication and use of readily available tools, make it a formidable adversary. The emergence of variants like Lynx, and the availability of INC's source code, suggest that this threat will continue to grow and adapt. Organizations must prioritize robust cybersecurity measures, including proactive threat hunting, vulnerability management, strong authentication, and employee training, to effectively defend against INC Ransomware and its evolving variants. A layered security approach, combining prevention, detection, and response, is essential to mitigate the risks posed by this persistent threat. Incident response planning is also key to recovery. Many orginizations are using SOAR to automate incident response.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: