⚠️ Overview

INC is a ransomware-as-a-service (RaaS) family first observed in July 2023 by researchers at BlackBerry and subsequently analyzed by Trend Micro and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It is operated by a financially motivated threat group tracked as UNC4383 or the "INC Ransom" group, which primarily targets Windows systems and employs a double-extortion model combining file encryption with data theft.

🔧 Technical Capabilities

INC propagates via initial access gained through compromised Remote Desktop Protocol (RDP) credentials, phishing emails with malicious attachments, and exploitation of internet-facing vulnerabilities. It uses a custom-designed file-encryption algorithm that appends the .inc extension to encrypted files and drops a ransom note named README.inc.txt. The ransomware establishes persistence through scheduled tasks and registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun). For command-and-control (C2) communication, INC uses a combination of hardcoded IP addresses and domain-generation algorithms (DGAs) to evade network detection. It deploys the legitimate PsExec tool for lateral movement and employs process hollowing to inject its payload into legitimate Windows processes like svchost.exe, as documented in Trend Micro's August 2023 report (threats.trendmicro.com). Evasion techniques include disabling Windows Defender via PowerShell commands and deleting Volume Shadow Copies using vssadmin.exe.

📜 History & Notable Incidents

INC first appeared in July 2023 with a campaign targeting U.S. healthcare organizations, including a breach at a large hospital system in August 2023 that impacted 1.5 million patient records (per HIPAA Journal). In September 2023, CISA added INC to its Known Exploited Vulnerabilities catalog after attackers exploited CVE-2023-23397 (Microsoft Outlook elevation of privilege) for initial compromise. No law enforcement takedowns have been reported as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA-256 5e8f9a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f (sample from VirusTotal, March 2024). Behavioral indicators include the creation of scheduled tasks named "IncTask" or "UpdateTask," registry modifications under HKCU...Run pointing to a randomly named executable, and network traffic to known C2 IPs like 185.225.73.34. The ransomware uses a User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" with a unique cookie header "inc_sid=XXXXX."

☠️ Risk & Impact

INC has caused significant data exfiltration and financial losses, with ransom demands ranging from $500,000 to $3 million per incident (Mandiant, 2024). Affected sectors include healthcare, education, and government, with particular impact on small-to-medium enterprises. A 2024 report by BlackBerry estimated that INC attacks resulted in over $50 million in combined ransom payments and recovery costs globally.

🛡️ Mitigation

Defenders should apply multi-factor authentication on all RDP interfaces, enable attack surface reduction rules to block PsExec and VBScript execution, and deploy YARA rules (e.g., "inc_ransomware_v1") from the CISA GitHub repository. Microsoft provides detection guidance via Microsoft Defender for Endpoint alert "Ransomware:Win32/INC!MTB" and recommends enabling cloud-delivered protection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.