Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including new ransomware actors such as the emergent group INC Ransom. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.
INC Ransom is a new ransomware group that emerged in August 2023, spreading ransomware with the same name. From the start of the operation till mid-September of the same year the group leaked the data of more than a dozen victims on their blog similarly to other groups of this type. The ransomware group exercises double and triple extortion on them.
The INC Ransom group was first observed by security researchers in early August 2023.
The group’s victims are mostly private sector businesses and the also includes a government organization and a charity association. All known victims are exclusively from Western countries with the majority of them from the United States and Europe (a single victim was from Singapore).
Segmentation Of Victims By Industry & Country Of Origin
Throughout the negotiation with the victims, the group publishes a “proof pack” consisting of several photos of private data (employer’s ID, professional charts, etc.), and additional information to motivate their victims to pay. In one case, the actor accused one of the victims of money laundering, implying that the victim had money to pay the ransom of 160,000 USD. In another case, the threat actor threatened two of the victim's customers to carry out a supply chain attack in case the victim (an IT provider) didn't pay the ransom.
INC Ransom’s leak blog, besides hosting the published leaks, has light and dark UI options, a feedback box, and a link to the group’s Twitter account. The leaks blog user interface carries some similarities to LockBit 3.0’s Ransomware leak blog; however, as opposed to LockBit, INC does not charge for the leaked data.
LockBit 3.0’s Leak Blog
INC’s Leak Blog
Meanwhile, the victims have a separate site where the negotiation with the group is done. The site requires them to open a user account with the user ID that has been communicated in the ransom note, and a password of their choice.
INC’s Feedback Box
INC’s Victim Sign In Page
When it comes to modus operandi, INC cases seem to be similar to other ransomware groups. The group uses compromised credentials to gain access to a victim environment and move laterally using RDP (Remote Desktop Protocol). When compromising new machines, another credential theft command occurs using the scripts. Eventually, the operators deploy the ransomware using WMIC and PSEXEC.
In order to exfiltrate data, the group was observed using the MegaSync tool, which has also been used by other ransomware group affiliates.
The Cybereason Defense Platform is able to detect and prevent INC ransomware infections using multi-layer malware protection that leverages threat intelligence, machine learning, anti-ransomware, next-gen antivirus (NGAV), and Variant Payload Prevention capabilities.
The Cybereason Defense Platform Detects & Prevents INC-related MalOp
The Cybereason GSOC & Security Research teams recommend the following actions in the Cybereason Defense Platform:
|
Tactic |
Technique or Sub-technique |
|
TA0005: Discovery |
T1083: File and Directory Discovery |
|
TA0007: Discovery |
T1016: System Network Configuration Discovery |
|
TA0007: Discovery |
T1046: Network Service Discovery |
|
TA0007: Discovery |
T1057: Process Discovery |
|
TA0007: Discovery |
T1082: System Information Discovery |
|
TA0007: Discovery |
T1135: Network Share Discovery |
|
TA0040: Impact |
T1486: Data Encrypted for Impact |
|
TA0040: Impact |
T1489: Service Stop |
|
TA0040: Impact |
T1490: Inhibit System Recovery |
|
TA0002: Execution |
T1059: Command and Scripting Interpreter |
|
Indicators |
Indicator type |
Description |
|
fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced |
SHA256 |
INC Ransomware Binary |
This blog post is the summary of a full 20-page Threat Alert, which can be downloaded here.
Marina Popelov, Security Analyst, Security Research Team
She began her career in the Israeli Defence Forces (IDF) as an open source intelligence analyst (OSInt) analyst and today specializes in web and dark web intelligence.
Eli Salem, Security & Malware Researcher, Security Research Team
Eli is a Security and malware reverse engineer at Cybereason. He has worked in the private sector of the cybersecurity industry since 2017. In his free time, he publishes articles about malware research and threat hunting.
Alon Laufer, Security Researcher, Security Research Team 
Alon Laufer is a Security Researcher at the Cybereason Security Research Team. He began his career in the Israeli Air Force where he was responsible for protecting critical infrastructure. Alon is interested in malware analysis, digital forensics, and incident response.
Mark Tsipershtein, Security Researcher Security Research Team
Mark Tsipershtein, a cyber security analyst at the Cybereason Security Research Team, focuses on analysis automation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and security testing.
Cybereason issues Threat Alerts to inform customers of emerging threats, including critical vulnerabilities such as CitrixBleed. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.
Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including critical vulnerabilities such as the Ivanti Connect Secure VPN Zero-Day exploitation. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them.
