INC Ransom

INC Ransom has been targeting critical infrastructure with sophisticated ransomware since 2023. It combines advanced intrusion techniques and extortion tactics, making it a serious threat to organizations worldwide. The group poses significant risks to organizations in sectors such as healthcare, manufacturing, government, and technology.

Detect INC Ransom's TTPs

Is Your Organization Safe From INC Ransom?

Background

The origin of INC Ransom

INC Ransom is a sophisticated ransomware group that has emerged in August 2023. The group employs a methodical and multi-staged attack strategy, targeting vulnerable organizations with a combination of spear-phishing campaigns and exploitation of known vulnerabilities. Notably, the group has been linked to exploiting CVE-2023-3519, a critical flaw in Citrix NetScaler, to gain initial access. Their operations involve highly coordinated efforts to maximize the damage and enforce ransom payments, often leveraging "double extortion" tactics where stolen data is exfiltrated before being encrypted. INC Ransom is characterized by its ability to adapt, troubleshoot, and overcome technical challenges during attacks, indicating a well-organized and skilled operation.

While the specific individuals or groups behind INC Ransom are not publicly known, cybersecurity researchers believe Russian criminals are behind the operation.

^Sources:^SOCradar

Targets

INC Ransom's Targets

Countries targeted by INC ransom

The group operates globally, with notable activity in North America, Europe, and parts of Asia. Countries such as the United States, the United Kingdom, Germany, and Australia have reported incidents attributed to INC Ransom. Their campaigns show no significant regional limitations, which indicates that their targeting is influenced by opportunity and potential financial gain rather than geopolitical motivations.

^Source:^{Ransomware.live}

Industries targeted by INC ransom

INC Ransom is known for its broad targeting strategy, focusing on industries with critical infrastructure and low resilience to operational disruptions. Educational institutions, government organizations, manufacturers, retailers, energy and utility companies, and financial institutions have all been targeted. Most prominently, INC Ransom has gone after sensitive data in the healthcare sector, with damaging attacks on a children’s hospital in the UK and a health board in Scotland.

^Sources:^{Ransomware.live}^,^{Infosecurity Magazine}^,^{The Times}

Industries targeted by INC ransom

^Sources:^{Ransomware.live}^,^{Infosecurity Magazine}^,^{The Times}

INC ransom's victims

An estimated 214 organizations have fallen prey to INC Ransom attacks. INC Ransom has been linked to high-profile attacks on hospital networks, municipal governments, and mid-sized enterprises. While specific victim names are often undisclosed, public reporting reveals a focus on organizations with weak cybersecurity defenses or those running outdated systems susceptible to exploitation.

^Source:^{Ransomware.live}

Attack Method

INC Ransom attack method

A shadowy figure casting a wide net over a digital landscape filled with various devices such as computers, smartphones, and tablets. The net symbolizes the attacker's attempts to find vulnerabilities or use phishing techniques to gain unauthorized access.

Uses spear-phishing emails or exploits vulnerabilities in public-facing applications, such as CVE-2023-3519 in Citrix NetScaler.

A digital ladder extending upwards from a basic user icon towards a crown symbolizing administrative privileges. This represents the attacker's efforts to gain higher-level access within the system.

Leverages tools like RDP to escalate privileges within the compromised system.

A chameleon blending into a digital background, with zeroes and ones flowing around it. This represents the attacker's ability to avoid detection by security measures, changing tactics to blend in with normal network traffic.

Employs obfuscated files, such as disguising PSExec as "winupd," to avoid detection.

A thief with a lockpick toolkit working on a giant keyhole shaped like a login form, representing the attacker's efforts to steal user credentials to gain unauthorized access.

Utilizes tools like Lsassy.py to dump credentials from memory.

A magnifying glass moving over a digital map of a network, highlighting files, folders, and network connections. This image represents the phase where attackers explore the environment to understand the structure and where valuable data resides.

Deploys tools like NETSCAN.EXE and Advanced IP Scanner for network reconnaissance to identify high-value targets.

A series of interconnected nodes with a shadowy figure moving stealthily between them. This illustrates the attacker's movements within the network, seeking to gain control of additional systems or spread malware.

Uses remote desktop software like AnyDesk.exe to move within the network.

A large vacuum sucking up files, data icons, and folders into a bag held by a shadowy figure. This image symbolizes the process of gathering valuable data from the target network.

Stages data using 7-Zip and MEGASync for exfiltration and encryption.

A command prompt window open in front of a digital background, with malicious code being typed out. This represents the phase where attackers execute their malicious payload within the compromised system.

Runs encryption scripts using wmic.exe and disguised PSExec instances to initiate ransomware deployment.

A series of files being funneled through a covert channel out of a computer to a cloud labeled with a skull, symbolizing the unauthorized transfer of data to a location controlled by the attacker.

Transfers stolen data for double extortion tactics using MEGASync or other cloud-based platforms.

A cracked screen with a digital cityscape in chaos behind it, symbolizing the destructive impact of the cyberattack, such as service disruption, data destruction, or financial loss.

Encrypts and/or destroys critical files, demanding ransom payments to restore access and prevent data leaks.

Initial Access

Uses spear-phishing emails or exploits vulnerabilities in public-facing applications, such as CVE-2023-3519 in Citrix NetScaler.

Privilege Escalation

Leverages tools like RDP to escalate privileges within the compromised system.

Defense Evasion

Employs obfuscated files, such as disguising PSExec as "winupd," to avoid detection.

Credential Access

Utilizes tools like Lsassy.py to dump credentials from memory.

Discovery

Deploys tools like NETSCAN.EXE and Advanced IP Scanner for network reconnaissance to identify high-value targets.

Lateral Movement

Uses remote desktop software like AnyDesk.exe to move within the network.

Collection

Stages data using 7-Zip and MEGASync for exfiltration and encryption.

Execution

Runs encryption scripts using wmic.exe and disguised PSExec instances to initiate ransomware deployment.

Exfiltration

Transfers stolen data for double extortion tactics using MEGASync or other cloud-based platforms.

Impact

Encrypts and/or destroys critical files, demanding ransom payments to restore access and prevent data leaks.

MITRE ATT&CK Mapping

TTPs used by INC Ransom

TA0001: Initial Access

T1566

Phishing

T1190

Exploit Public-Facing Application

T1078

Valid Accounts

TA0002: Execution

T1059

Command and Scripting Interpreter

TA0003: Persistence

T1078

Valid Accounts

TA0004: Privilege Escalation

T1068

Exploitation for Privilege Escalation

T1078

Valid Accounts

TA0005: Defense Evasion

T1027

Obfuscated Files or Information

T1078

Valid Accounts

TA0006: Credential Access

T1003

OS Credential Dumping

TA0007: Discovery

T1016

System Network Configuration Discovery

TA0008: Lateral Movement

T1021

Remote Services

TA0009: Collection

T1074

Data Staged

TA0011: Command and Control

T1105

Ingress Tool Transfer

TA0010: Exfiltration

No items found.

TA0040: Impact

T1485

Data Destruction

T1486

Data Encrypted for Impact

Platform Detections

INC Ransom

The origin of INC Ransom

INC Ransom's Targets

Countries targeted by INC ransom

Industries targeted by INC ransom

Industries targeted by INC ransom

INC ransom's victims

INC Ransom attack method

TTPs used by INC Ransom

How to detect threats like INC ransom with Vectra AI

M365 Ransomware

Ransomware File Activity

Suspicious Remote Execution

FAQs

Is Your Organization Safe From INC Ransom?