INC Ransomware is a ransomware strain that has been used by the INC Ransom group since at least 2023 against multiple industry sectors worldwide. INC Ransomware can employ partial encryption combined with multi-threading to speed encryption.[1][2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1486 | Data Encrypted for Impact |
INC Ransomware can encrypt data on victim systems, including through the use of partial encryption and multi-threading to speed encryption.[1][2][4][5][1] |
|
Enterprise | T1491 | .001 | Defacement: Internal Defacement |
INC Ransomware has the ability to change the background wallpaper image to display the ransom note.[4][3] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
INC Ransomware can run |
|
Enterprise | T1652 | Device Driver Discovery |
INC Ransomware can verify the presence of specific drivers on compromised hosts including Microsoft Print to PDF and Microsoft XPS Document Writer.[4] |
|
Enterprise | T1083 | File and Directory Discovery |
INC Ransomware can receive command line arguments to encrypt specific files and directories.[4][1] |
|
Enterprise | T1490 | Inhibit System Recovery |
INC Ransomware can delete volume shadow copy backups from victim machines.[4] |
|
Enterprise | T1570 | Lateral Tool Transfer |
INC Ransomware can push its encryption executable to multiple endpoints within compromised infrastructure.[2] |
|
Enterprise | T1106 | Native API |
INC Ransomware can use the API |
|
Enterprise | T1135 | Network Share Discovery |
INC Ransomware has the ability to check for shared network drives to encrypt.[4] |
|
Enterprise | T1120 | Peripheral Device Discovery |
INC Ransomware can identify external USB and hard drives for encryption and printers to print ransom notes.[4] |
|
Enterprise | T1566 | Phishing |
INC Ransomware campaigns have used spearphishing emails for initial access.[1] |
|
Enterprise | T1057 | Process Discovery |
INC Ransomware can use the Microsoft Win32 Restart Manager to kill processes with a specific handle or that are accessing resources it wants to encrypt.[4] |
|
Enterprise | T1489 | Service Stop |
INC Ransomware can issue a command to kill a process on compromised hosts.[4] |
|
Enterprise | T1082 | System Information Discovery |
INC Ransomware can discover and mount hidden drives to encrypt them.[4] |
|
Enterprise | T1047 | Windows Management Instrumentation |
INC Ransomware has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment.[2][3] |
ID | Name | References |
---|---|---|
G1032 | INC Ransom |