INC Ransomware is an opportunistic cybercriminal group active since mid-2023. Known for its rapid proliferation and impact across various industries, INC Ransomware has demonstrated a potent combination of sophisticated attack vectors and relentless pursuit of high-value targets.
Tactics, Techniques, and Procedures (TTPs): INC Ransomware employs a mix of advanced TTPs that align with several MITRE ATT&CK frameworks:
- Initial Access: Spear-phishing and exploitation of vulnerabilities such as CVE-2023-3519 in Citrix NetScaler, which allows for arbitrary code execution.
- Execution: Use of Command and Scripting Interpreter (T1059).
- Persistence: Achieved through tools like MEGAsync for data exfiltration.
- Privilege Escalation and Defense Evasion: Utilizing legitimate credentials and tools for lateral movements within the network.
- Discovery: Techniques including File and Directory Discovery (T1083) and System Information Discovery (T1082).
- Collection: Data from multiple parts of the network is aggregated before exfiltration.
- Exfiltration: Data is typically exfiltrated using MEGAsync.
- Impact: Data encryption for impact using methods like Data Encrypted for Impact (T1486), alongside Service Stop (T1489) and Inhibit System Recovery (T1490).
Notable Breaches:
- NHS Dumfries and Galloway: Three terabytes of sensitive data were stolen.(Read More)
- Xerox Business Solutions: Sensitive corporate data compromised.
- Yamaha Motor Philippines: Employee and operational data leaked.
- Other Targets: Including WellLife Network, Decatur Independent School District, Guardian Alarm, EFU Life Assurance, and Global Export Marketing, reflecting the group’s indiscriminate targeting strategy (SecurityWeek) (BleepingComputer).
INC Ransomware does not exhibit a specific geographical focus, targeting organizations worldwide that possess valuable data and are perceived as likely to pay ransoms. Industries targeted include healthcare, technology, education, and government entities, underscoring the group’s opportunistic approach.
Security Recommendations: Organizations are advised to:
- Patch and update systems regularly, especially known vulnerabilities like CVE-2023-3519.
- Implement robust email filtering and anti-phishing training to mitigate the risk of spear-phishing.
- Employ multi-factor authentication and least privilege policies to reduce the impact of credential compromise.
- Regularly back up data and ensure backups are stored securely offline.