INC Ransomware – Threat Actor

INC Ransomware
Date of Initial Activity	2023
Location	Unknown
Other Names	Inc. Ransom
Suspected Attribution	Ransomware Group
Motivation	Financial Gain
Software	Database

Overview

The evolution of ransomware has brought about more advanced and complex threat actors, with the Inc. ransomware group emerging as one of the most notable in recent times. First observed in July 2023, Inc. ransomware has introduced a unique approach to the traditional ransomware attack model. While many ransomware groups focus solely on encrypting victims’ data and demanding payment for decryption, the Inc. group takes a different route. They position themselves as a “service” aimed at improving their victims’ cybersecurity posture. By threatening to expose their attack methods and publicize the vulnerabilities they exploit, Inc. ransomware aims to make the victim’s environment more secure, but only if the ransom is paid.

Operating primarily through multi-extortion tactics, Inc. ransomware not only encrypts data but also steals sensitive information, threatening to leak it online if the victim does not comply with the ransom demands. This dual approach adds significant pressure to organizations, forcing them to confront not only the immediate financial impact of the attack but also the potential long-term reputational damage. The group’s diverse targeting across multiple industries, including healthcare, education, and government sectors, underscores the growing reach and indiscriminate nature of ransomware attacks.

Common targets

Public Administration

Health Care and Social Assistance

Educational Services

United States

Attack Vectors

Software Vulnerabilities

How they operate

The initial access phase of an Inc. ransomware attack can vary depending on the victim’s vulnerabilities. Inc. operators are known to exploit specific flaws, such as CVE-2023-3519 in Citrix NetScaler, which allows attackers to gain unauthorized access to the network. In addition to leveraging known vulnerabilities, spear-phishing emails are another common vector used by the group to initiate attacks. Once access is achieved, the ransomware operators deploy a range of tools to escalate their privileges and move laterally across the compromised network. These tools include NETSCAN.EXE, a multi-protocol network scanner used for mapping the network, and AnyDesk.exe, a remote access tool that allows the attackers to maintain control over the infected environment.

After gaining foothold and privilege escalation, the ransomware begins its primary attack phase. Inc. ransomware utilizes a range of Commercial off-the-Shelf (COTS) tools, commonly known as LOLBins (Living Off the Land Binaries), to perform internal reconnaissance and lateral movement. ESENTUTL.EXE, a Microsoft utility for database management, is frequently used to interact with victim systems and databases. MEGAsyncSetup64.EXE, a legitimate application for MEGA cloud services, is another tool exploited by Inc. ransomware to facilitate data exfiltration and movement within the network. These tools are often overlooked as they are standard utilities, making detection by traditional security systems more difficult.

When it comes to encryption, Inc. ransomware supports multiple command-line arguments that allow attackers to choose specific targets within the system. The payload can be configured to encrypt individual files or entire directories, and can even extend its reach to network shares. The –lhd argument can encrypt hidden drives, including boot and recovery volumes, rendering the device non-bootable, which further complicates recovery efforts. If no arguments are specified, the ransomware will automatically attempt to encrypt all accessible files across the local drives and network shares.

The encryption process itself is carried out using robust encryption algorithms, rendering the data inaccessible to the victim unless the ransom is paid. In addition to file encryption, the ransomware also attempts to delete Volume Shadow Copies (VSS), which are often used to restore files after an attack. However, there have been inconsistencies in the implementation of this feature, suggesting that it is either incomplete or in the early stages of development. Ransom notes, written in both .TXT and .HTML formats, are placed in each folder containing encrypted files. These notes provide instructions to the victim, including a unique identifier that they must use to contact the attackers via a TOR-based payment portal.

Victims are instructed to visit the attackers’ encrypted TOR portal where they can obtain further instructions and initiate the ransom payment process. The portal requests the victim’s unique ID, allowing the ransomware group to track the compromised organization. The use of TOR ensures anonymity for the attackers, adding another layer of complexity for authorities attempting to trace the group’s activities.

Inc. ransomware’s use of multiple tools, its ability to exploit common vulnerabilities, and the flexibility in its attack methods make it a formidable threat. The group’s focus on multi-extortion tactics, where data theft and encryption go hand-in-hand, places additional pressure on victims to comply with the ransom demands. The use of legitimate tools like AnyDesk and MEGAsync makes detection more difficult, while the ability to encrypt hidden drives and delete shadow copies increases the complexity of recovery efforts. Organizations must take a proactive approach to cybersecurity, including frequent patching, network monitoring, and educating employees on phishing risks, to defend against this evolving threat.