INC Ransomware Group

The INC Ransomware Group emerged as a cyber criminal extortion group in July 2023.

INC ransomware is a multi-extortion operation, stealing victim data, encrypting it and then threatening to leak the data online should the victim fail to comply with their demands. The group targets multiple industries with attacks on healthcare, education, and government entities.

The initial access methods used by the group can vary, with observed methods including spear-phishing email as well as targeting of vulnerable external services. Once the threat actor has gained initial access, a variety of publicly available tooling and living-off-the-land techniques are used to continue internal reconnaissance and lateral movement. Tools associated with INC ransomware operations include NETSCAN.EXE, MEGAsyncSetup64.EXE, ESENTUTL.EXE, and AnyDesk.exe.

INC ransomware payloads support multiple command-line arguments to specify encryption options but by default the payload will simply attempt to encrypt the local device including all available volumes and files. INC ransomware ransom notes are written to each folder containing encrypted items and the ransomware attempts to output the HTML-formatted note to any connected and accessible printers or fax machines.

Victims are instructed to contact the attackers via their TOR-based portal. Each victim is assigned a personal ID within their ransom notes which they are to use upon visiting the payment site.

www.sentinelone.com

https://www.sentinelone.com/anthology/inc-ransom/

socradar.io

https://socradar.io/dark-web-profile-inc-ransom/

www.huntress.com

https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity

www.secureworks.com

https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware

metro.co.uk

https://metro.co.uk/2024/03/27/inc-ransom-hackers-threatening-leak-nhs-patient-records-20541039/