INC Ransom
INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.[1][2][3][4]
Associated Group Descriptions
| Name | Description |
|---|---|
| GOLD IONIC |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
INC Ransom has used WMIC to deploy ransomware.[2][5][6] |
|
| Enterprise | T1537 | 传输数据至云账户 |
INC Ransom has used Megasync to exfiltrate data to the cloud.[3] |
|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.[5][6] |
| Enterprise | T1190 | 利用公开应用程序漏洞 |
INC Ransom has exploited known vulnerabilities including CVE-2023-3519 in Citrix NetScaler for initial access.[6][4] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
INC Ransom has used |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
INC Ransom can use SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender.[7] |
| Enterprise | T1071 | 应用层协议 |
INC Ransom has used valid accounts over RDP to connect to targeted systems.[5] |
|
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
INC Ransom has used 7-Zip and WinRAR to archive collected data prior to exfiltration.[5][3][6][7] |
| Enterprise | T1074 | 数据分段 |
INC Ransom has staged data on compromised hosts prior to exfiltration.[5][6] |
|
| Enterprise | T1486 | 数据加密以实现影响 |
INC Ransom has used INC Ransomware to encrypt victim's data.[4][5][1][3][2][6] |
|
| Enterprise | T1078 | 有效账户 |
INC Ransom has used compromised valid accounts for access to victim environments.[2][5][6][7] |
|
| Enterprise | T1069 | .002 | 权限组发现: Domain Groups |
INC Ransom has enumerated domain groups on targeted hosts.[5] |
| Enterprise | T1570 | 横向工具传输 |
INC Ransom has used a rapid succession of copy commands to install a file encryption executable across multiple endpoints within compromised infrastructure.[5][3] |
|
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
INC Ransom has uninstalled tools from compromised endpoints after use.[7] |
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
INC Ransom has run a file encryption executable via |
| Enterprise | T1049 | 系统网络连接发现 |
INC Ransom has used RDP to test network connections.[6] |
|
| Enterprise | T1135 | 网络共享发现 |
INC Ransom has used Internet Explorer to view folders on other systems.[5] |
|
| Enterprise | T1046 | 网络服务发现 |
INC Ransom has used NETSCAN.EXE for internal reconnaissance.[6][4] |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
INC Ransom has acquired and used several tools including MegaSync, AnyDesk, esentutl and PsExec.[2][5][6][7][4] |
| Enterprise | T1657 | 财务窃取 |
INC Ransom has stolen and encrypted victim's data in order to extort payment for keeping it private or decrypting it.[2][1][3][6][4] |
|
| Enterprise | T1087 | .002 | 账号发现: Domain Account |
INC Ransom has scanned for domain admin accounts in compromised environments.[6] |
| Enterprise | T1105 | 输入工具传输 |
INC Ransom has downloaded tools to compromised servers including Advanced IP Scanner. [5][7] |
|
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
INC Ransom has used RDP to move laterally.[2][5][6][7] |
| Enterprise | T1219 | 远程访问软件 |
INC Ransom has used AnyDesk and PuTTY on compromised systems.[5][6][7][4] |
|
| Enterprise | T1566 | 钓鱼 |
INC Ransom has used phishing to gain initial access.[6][4] |
|
Software
References
- Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024.
- Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
- Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
- SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.