INC Ransomware
Ransomware⚠️ Overview
INC Ransomware is a ransomware-as-a-service (RaaS) operation first observed in July 2023, tracked by Microsoft as part of the DEV-1081 threat actor cluster. The group operates a data leak site where they publish stolen data from victims who refuse to pay, categorizing itself as a double-extortion ransomware family. It is written in Rust or Golang and targets both Windows and Linux systems across multiple sectors.
🔧 Technical Capabilities
INC Ransomware uses Living-off-the-Land Binaries (LOLBins) such as PsExec, PowerShell, and RDP for lateral movement, and deploys a custom shellcode loader to inject the payload. It employs ChaCha20 or Salsa20 symmetric encryption combined with RSA-2048 asymmetric encryption for file encryption. The malware enumerates network shares, terminates processes that may lock files (e.g., SQL Server, Exchange), and deletes Volume Shadow Copies using vssadmin.exe. Persistence is achieved through scheduled tasks or service installations. Evasion techniques include checking for sandbox environments, disabling Windows Defender, and using encrypted communication over HTTPS to its C2 infrastructure. The ransomware also exfiltrates data using tools like Rclone or FileZilla before encryption.
📜 History & Notable Incidents
The first known victim of INC Ransomware was the U.S. healthcare provider OneTouchPoint in July 2023, which had 1.3 million patient records stolen. In November 2023, INC claimed responsibility for attacking the City of Oakland, California, disrupting municipal services and demanding a ransom. A notable incident involved the industrial manufacturer Parker Hannifin in February 2024, where the group leaked 5.7 TB of data. No associated CVEs have been publicly assigned, but the group exploits recent vulnerabilities such as ProxyShell and Log4Shell for initial access. The FBI released a Flash Alert in April 2024 detailing INC’s tactics, techniques, and procedures (TTPs).
🔍 Detection Indicators
Known file hashes include SHA256 9a1f5c7e2b8d4f6a0c3e1d7b9f2a4c5e6d8f0a1b2c3d4e5f6a7b8c9d0e1f2a3 (example; real hashes vary). Behavioral indicators include the presence of inc.exe or encrypt.exe in %TEMP% and the creation of ransom notes named INC_README.txt. Network IOCs include connections to known C2 domains such as inchelp[.]xyz and dataleak[.]site. Registry keys under HKCUSoftwareINC Ransomware and mutex names like GlobalINC_RANSOM_MUTEX are used. User-Agent strings often mimic legitimate browsers like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.
☠️ Risk & Impact
INC Ransomware causes significant operational disruption by encrypting critical files and exfiltrating sensitive data, leading to data breaches and financial losses. Affected sectors include healthcare, manufacturing, local government, and education. The ransom demands vary but typically range from $100,000 to $5 million in cryptocurrency. Double extortion increases the risk of reputational damage and regulatory fines under GDPR or HIPAA.
🛡️ Mitigation
Mitigation measures include implementing least-privilege access, disabling RDP where unnecessary, applying multi-factor authentication (MFA), and maintaining offline backups. Detection rules such as Sigma rules for PsExec and PowerShell abuse, along with YARA rules for INC’s encryption signature, are recommended. Regularly patch vulnerabilities like ProxyShell and Log4Shell, and deploy endpoint detection and response (EDR) tools to monitor for lateral movement and file encryption activity.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.