Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

INC Ransomware – Threat Actor

February 25, 2025
Reading Time: 4 mins read
in Threat Actors
INC Ransomware – Threat Actor

INC Ransomware

Date of Initial Activity

2023

Location

Unknown

Other Names

Inc. Ransom

Suspected Attribution 

Ransomware Group

Motivation

Financial Gain

Software

Database

Overview

The evolution of ransomware has brought about more advanced and complex threat actors, with the Inc. ransomware group emerging as one of the most notable in recent times. First observed in July 2023, Inc. ransomware has introduced a unique approach to the traditional ransomware attack model. While many ransomware groups focus solely on encrypting victims’ data and demanding payment for decryption, the Inc. group takes a different route. They position themselves as a “service” aimed at improving their victims’ cybersecurity posture. By threatening to expose their attack methods and publicize the vulnerabilities they exploit, Inc. ransomware aims to make the victim’s environment more secure, but only if the ransom is paid. Operating primarily through multi-extortion tactics, Inc. ransomware not only encrypts data but also steals sensitive information, threatening to leak it online if the victim does not comply with the ransom demands. This dual approach adds significant pressure to organizations, forcing them to confront not only the immediate financial impact of the attack but also the potential long-term reputational damage. The group’s diverse targeting across multiple industries, including healthcare, education, and government sectors, underscores the growing reach and indiscriminate nature of ransomware attacks.

Common targets

Public Administration

Health Care and Social Assistance

Educational Services

United States

Attack Vectors

Software Vulnerabilities

How they operate

The initial access phase of an Inc. ransomware attack can vary depending on the victim’s vulnerabilities. Inc. operators are known to exploit specific flaws, such as CVE-2023-3519 in Citrix NetScaler, which allows attackers to gain unauthorized access to the network. In addition to leveraging known vulnerabilities, spear-phishing emails are another common vector used by the group to initiate attacks. Once access is achieved, the ransomware operators deploy a range of tools to escalate their privileges and move laterally across the compromised network. These tools include NETSCAN.EXE, a multi-protocol network scanner used for mapping the network, and AnyDesk.exe, a remote access tool that allows the attackers to maintain control over the infected environment. After gaining foothold and privilege escalation, the ransomware begins its primary attack phase. Inc. ransomware utilizes a range of Commercial off-the-Shelf (COTS) tools, commonly known as LOLBins (Living Off the Land Binaries), to perform internal reconnaissance and lateral movement. ESENTUTL.EXE, a Microsoft utility for database management, is frequently used to interact with victim systems and databases. MEGAsyncSetup64.EXE, a legitimate application for MEGA cloud services, is another tool exploited by Inc. ransomware to facilitate data exfiltration and movement within the network. These tools are often overlooked as they are standard utilities, making detection by traditional security systems more difficult. When it comes to encryption, Inc. ransomware supports multiple command-line arguments that allow attackers to choose specific targets within the system. The payload can be configured to encrypt individual files or entire directories, and can even extend its reach to network shares. The –lhd argument can encrypt hidden drives, including boot and recovery volumes, rendering the device non-bootable, which further complicates recovery efforts. If no arguments are specified, the ransomware will automatically attempt to encrypt all accessible files across the local drives and network shares. The encryption process itself is carried out using robust encryption algorithms, rendering the data inaccessible to the victim unless the ransom is paid. In addition to file encryption, the ransomware also attempts to delete Volume Shadow Copies (VSS), which are often used to restore files after an attack. However, there have been inconsistencies in the implementation of this feature, suggesting that it is either incomplete or in the early stages of development. Ransom notes, written in both .TXT and .HTML formats, are placed in each folder containing encrypted files. These notes provide instructions to the victim, including a unique identifier that they must use to contact the attackers via a TOR-based payment portal. Victims are instructed to visit the attackers’ encrypted TOR portal where they can obtain further instructions and initiate the ransom payment process. The portal requests the victim’s unique ID, allowing the ransomware group to track the compromised organization. The use of TOR ensures anonymity for the attackers, adding another layer of complexity for authorities attempting to trace the group’s activities. Inc. ransomware’s use of multiple tools, its ability to exploit common vulnerabilities, and the flexibility in its attack methods make it a formidable threat. The group’s focus on multi-extortion tactics, where data theft and encryption go hand-in-hand, places additional pressure on victims to comply with the ransom demands. The use of legitimate tools like AnyDesk and MEGAsync makes detection more difficult, while the ability to encrypt hidden drives and delete shadow copies increases the complexity of recovery efforts. Organizations must take a proactive approach to cybersecurity, including frequent patching, network monitoring, and educating employees on phishing risks, to defend against this evolving threat.  
References:
  • Inc. Ransom
Tags: GovernmentHealthcareInc RansomwareNetScalerRansomwareThreat ActorsUnited StatesVulnerabilities
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial