INC Ransom

INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.[1][2][3][4]

ID: G1032
Associated Groups: GOLD IONIC
Contributors: Matt Anderson, @‌nosecurething, Huntress
Version: 1.0
Created: 06 June 2024
Last Modified: 28 October 2024

Associated Group Descriptions

Name Description
GOLD IONIC

[3]

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

INC Ransom has scanned for domain admin accounts in compromised environments.[5]

Enterprise T1071 Application Layer Protocol

INC Ransom has used valid accounts over RDP to connect to targeted systems.[6]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

INC Ransom has used 7-Zip and WinRAR to archive collected data prior to exfiltration.[6][3][5][7]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

INC Ransom has used cmd.exe to launch malicious payloads.[6]

Enterprise T1486 Data Encrypted for Impact

INC Ransom has used INC Ransomware to encrypt victim's data.[4][6][1][3][2][5]

Enterprise T1074 Data Staged

INC Ransom has staged data on compromised hosts prior to exfiltration.[6][5]

Enterprise T1190 Exploit Public-Facing Application

INC Ransom has exploited known vulnerabilities including CVE-2023-3519 in Citrix NetScaler for initial access.[5][4]

Enterprise T1657 Financial Theft

INC Ransom has stolen and encrypted victim's data in order to extort payment for keeping it private or decrypting it.[2][1][3][5][4]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

INC Ransom can use SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender.[7]

Enterprise T1070 .004 Indicator Removal: File Deletion

INC Ransom has uninstalled tools from compromised endpoints after use.[7]

Enterprise T1105 Ingress Tool Transfer

INC Ransom has downloaded tools to compromised servers including Advanced IP Scanner. [6][7]

Enterprise T1570 Lateral Tool Transfer

INC Ransom has used a rapid succession of copy commands to install a file encryption executable across multiple endpoints within compromised infrastructure.[6][3]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.[6][5]

Enterprise T1046 Network Service Discovery

INC Ransom has used NETSCAN.EXE for internal reconnaissance.[5][4]

Enterprise T1135 Network Share Discovery

INC Ransom has used Internet Explorer to view folders on other systems.[6]

Enterprise T1588 .002 Obtain Capabilities: Tool

INC Ransom has acquired and used several tools including MegaSync, AnyDesk, esentutl and PsExec.[2][6][5][7][4]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

INC Ransom has enumerated domain groups on targeted hosts.[6]

Enterprise T1566 Phishing

INC Ransom has used phishing to gain initial access.[5][4]

Enterprise T1219 Remote Access Software

INC Ransom has used AnyDesk and PuTTY on compromised systems.[6][5][7][4]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

INC Ransom has used RDP to move laterally.[2][6][5][7]

Enterprise T1049 System Network Connections Discovery

INC Ransom has used RDP to test network connections.[5]

Enterprise T1569 .002 System Services: Service Execution

INC Ransom has run a file encryption executable via Service Control Manager/7045;winupd,%SystemRoot%\winupd.exe,user mode service,demand start,LocalSystem.[6]

Enterprise T1537 Transfer Data to Cloud Account

INC Ransom has used Megasync to exfiltrate data to the cloud.[3]

Enterprise T1078 Valid Accounts

INC Ransom has used compromised valid accounts for access to victim environments.[2][6][5][7]

Enterprise T1047 Windows Management Instrumentation

INC Ransom has used WMIC to deploy ransomware.[2][6][5]

Software

ID Name References Techniques
S0552 AdFind [3] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0404 esentutl [5][4] Data from Local System, Direct Volume Access, Hide Artifacts: NTFS File Attributes, Ingress Tool Transfer, Lateral Tool Transfer, OS Credential Dumping: NTDS
S1139 INC Ransomware [2][3] Data Encrypted for Impact, Defacement: Internal Defacement, Deobfuscate/Decode Files or Information, Device Driver Discovery, File and Directory Discovery, Inhibit System Recovery, Lateral Tool Transfer, Native API, Network Share Discovery, Peripheral Device Discovery, Phishing, Process Discovery, Service Stop, System Information Discovery, Windows Management Instrumentation
S0039 Net [7] Account Discovery: Domain Account, Account Discovery: Local Account, Account Manipulation: Additional Local or Domain Groups, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0359 Nltest [6] Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0029 PsExec [2][6][3][5] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S1040 Rclone [7] Archive Collected Data: Archive via Utility, Data Transfer Size Limits, Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery
S0183 Tor [3][5][4] Encrypted Channel: Asymmetric Cryptography, Proxy: Multi-hop Proxy

References