The INC ransomware group has rapidly escalated into a major global threat since its emergence in mid-2023. Within a short span, the group has victimized over 800 entities, placing it prominently among the top ransomware threats of the year. Operating under a Ransomware-as-a-Service (RaaS) model, INC recruits affiliates and equips them with sophisticated tools to execute widespread attacks.
Strategic Evolution and Target Expansion
INC’s threat capability has grown through continuous technical enhancements, making it difficult for security measures to detect. Initially focusing on healthcare and education, the group has broadened its reach to include legal firms, manufacturing, construction, and tech companies. This strategic shift indicates a focus on sectors vulnerable to regulatory pressure, increasing the likelihood of ransom payments.
Recent analyses by Acronis reveal significant advancements in INC’s toolkit and infrastructure. Their report, shared with Cyber Security News (CSN), highlights the group’s complete rewrite of Windows and Linux/ESXi encryptors using Rust. This development underscores a commitment to cross-platform attack strategies, enhancing the group’s operational adaptability.
Technical Advancements and Implications
The shift to Rust-based encryptors is a pivotal development, allowing the group to maintain a singular codebase while targeting diverse system environments. Rust complicates analysis due to its complex structural patterns, challenging older security tools.
Improvements in INC’s Windows encryptor include automated database connection retrieval and a zero SQL server for targeting Veeam backup systems. The Linux/ESXi variant efficiently targets VMware setups, optimizing encryption speed by distinguishing between local and network storage.
Both encryptors employ partial encryption based on file size, expediting the process while ensuring critical system files remain intact, thus keeping ransom notes visible. Command-line configurability grants affiliates precise control over each attack.
Operational Tactics and Security Recommendations
Beyond encryption tools, INC affiliates utilize legitimate remote access software and commercial tools to navigate victim networks stealthily. Tools such as CobaltStrike, AnyDesk, and TeamViewer blend with normal IT activities to evade detection. Additionally, scripts and utilities like PsKill are employed to disable endpoint defenses before final payload deployment.
For credential theft, INC leverages modified scripts to bypass newer Veeam backups’ security. Compressed stolen data is exfiltrated using tools like rclone. Security teams are advised to enforce multi-factor authentication, patch known vulnerabilities, and maintain isolated offline backups.
The spread of INC’s source code into other ransomware families like Lynx and Knoba suggests a persistent threat landscape, despite disruptions in the original code seller’s operations. Continuous vigilance and adaptive security measures remain crucial for organizations to mitigate the impact of such sophisticated attacks.
Follow our updates on Google News, LinkedIn, and X, and set CSN as your preferred source on Google for real-time cybersecurity news.
