{
	"id": "45072b32-ac1c-4e3b-bc2a-980521362a68",
	"created_at": "2026-04-06T00:10:20.096891Z",
	"updated_at": "2026-04-10T13:12:36.35218Z",
	"deleted_at": null,
	"sha1_hash": "e11a0b81063e773aaf8d0e9fdb35d78a550ad249",
	"title": "INC Linux Ransomware - Sandboxing with ELFEN and Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1123426,
	"plain_text": "INC Linux Ransomware - Sandboxing with ELFEN and Analysis\r\nArchived: 2026-04-05 13:58:52 UTC\r\nSHA256: a0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5\r\nVT link\r\nTable of Contents\r\nFamily Introduction\r\nSandboxing with ELFEN\r\nDetonation\r\nConsole Output\r\nTerminate VMs on ESXi Host\r\nOpen-Source Library Usage\r\nRansom Note\r\nEncryption\r\nCode Analysis\r\nCommand-line Parameters\r\nEncoded Ransom Note\r\nEncryption\r\nSummary\r\nReferences\r\nFamily Introduction\r\nINC Linux ransomware emerged in July 2023 and is operated by a group known by the same name, INC\r\nRansom . They are known to target multiple industries.\r\nSandboxing with ELFEN\r\nGenerally, a malware analyst performs sandboxing early in their workflow. The purpose of sandboxing is to\r\nquickly get a general idea of the malware sample’s capabilities - does it communicate over the network or encrypt\r\nfiles or establish persistence, etc. This information is useful in determining the next steps in the analysis workflow.\r\nI built the ELFEN sandbox to analyze Linux malware (file type: ELF ) and provide this information. It is open-source and easy to set up.\r\nDetonation\r\nThis INC ransomware variant accepts multiple command-line arguments as indicated by printable strings in the\r\nbinary:\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 1 of 11\n\n$ strings a0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5\r\n...\r\n...\r\n--debug\r\n--file\r\n--dir\r\n--daemon\r\n--esxi\r\n--motd\r\n--skip\r\n[*] Count of arguments: %d\r\n...\r\n...\r\nRansomware samples typically accept command-line arguments to specify the files and/or directories to encrypt.\r\nTo conduct effective sandboxing, it is necessary to identify the appropriate command-line arguments to provide at\r\nthe time of detonation. Identification can be done by either making an educated guess or by analyzing the code in\r\na disassembler/ decompiler of your choice.\r\nI made an educated guess and submitted the sample to the ELFEN sandbox with the following command-line\r\nparameters:\r\n--dir /vmfs/volumes --esxi --debug --motd\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 2 of 11\n\nThe analysis result summary is shown in the snap below:\r\nConsole Output\r\nIt is evident from the console output that the detonation was successful. The sample was able to encrypt files in\r\nthe /vmfs/volumes directory and change the MOTD.\r\n[*] Count of arguments: 5\r\n [1] --dir\r\n [2] /vmfs/volumes\r\n [3] --esxi\r\n [4] --debug\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 3 of 11\n\n[5] --motd\r\n \r\n[+] Start killing ESXi servers! No skipping VMs (be careful with DC)\r\n[+] PID of child: 163\r\n[+] Waiting for finish child process!\r\n[+] /vmfs/volumes/8c24abb1-347d6a00-ee6f-2ea3f7f2bb5f/psiEgFyfQdlqQ/psiEgFyfQdlqQ.vmx added to thread pool!\r\n[+] /vmfs/volumes/8c24abb1-347d6a00-ee6f-2ea3f7f2bb5f/psiEgFyfQdlqQ/psiEgFyfQdlqQ.vmdk added to thread pool!\r\n[+] /vmfs/volumes/8c24abb1-347d6a00-ee6f-2ea3f7f2bb5f/psiEgFyfQdlqQ/psiEgFyfQdlqQ.vmxf added to thread pool!\r\n[+] Changing message of the day!\r\nTerminate VMs on ESXi Host\r\nThe sample writes bash code into a shell script called kill in the current working directory and executes it. The\r\nsnap below shows the trace recorded by ELFEN.\r\nThe kill script is considered as a dropped file by ELFEN and is available to be downloaded. Its contents are\r\nshown below:\r\n$ cat kill\r\nvim-cmd hostsvc/autostartmanager/enable_autostart 0; for i in $(vim-cmd vmsvc/getallvms | awk '{print $1}' | gre\r\nThe above code leverages ESXi’s vim-cmd utility to perform the following operations:\r\n1. It disables autostart for all VMs on the ESXi host.\r\n2. It lists all VMs on the ESXi host, powers them off to free file locks, and removes all their snapshots to\r\ninhibit recovery.\r\nELFEN traces the execution of various vim-cmd invocations:\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 4 of 11\n\nSome invocations are classified as suspicious (score \u003e= 30 and score \u003c 69 ).\r\nOpen-Source Library Usage\r\nThe sample leverages code from the Pithikos/C-Thread-Pool GitHub repository to implement a thread pool.\r\nELFEN detects this usage through a Yara rule.\r\nELFEN records change in the name of processes/threads and these come from the thread pool implementation.\r\nWhile the open-source code uses thread names in the format thpool-\u003cnumber\u003e , the sample uses thread-pool-\r\n\u003cnumber\u003e .\r\nThis change in name is detected by ELFEN as suspicious.\r\nRansom Note\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 5 of 11\n\nThe following snap shows the write trace of the ransom note. The sample writes it in both a txt and html\r\nfile. They can both be downloaded from ELFEN.\r\nThe ransom note also modifies the “Message of the Day” (MOTD) on the ESXi host. It does so by writing to the\r\nfile, /etc/motd .\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 6 of 11\n\nEncryption\r\nELFEN traces a few string-related libc functions and one of them is strstr . Ransomware frequently target files\r\nwith specific extensions while ignoring others. Looking at the trace below, one can make an educated guess that\r\nthe sample is likely targeting files with extensions, .vmdk , .vmem , .vmx , .vswp , and .vmsn while ignoring\r\nthose with INC substring in them, likely ignoring already encrypted files.\r\nThe sample adds the string, .INC as a file extension to encrypted files.\r\nELFEN detects this as malicious behavior.\r\nCode Analysis\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 7 of 11\n\nCommand-line Parameters\r\nThe --esxi command-line parameter causes the sample to terminate VMs and remove their snapshots on the\r\nESXi host through the vim-cmd utility as we saw in the previous sections. The --skip parameter specifies VM\r\nIDs which should be excluded from this operation. In that case, the kill script is as shown below:\r\n$ cat kill\r\nvim-cmd hostsvc/autostartmanager/enable_autostart 0; for i in $(vim-cmd vmsvc/getallvms | awk '{print $1}' | gre\r\nThe --daemon parameter causes the sample to fork() itself and then set the child as the session leader using\r\nsetsid() . This allows the child process to live if the parent process is killed.\r\nEncoded Ransom Note\r\nThe txt and html contents of the ransom note are hardcoded in base64 form in the sample. The function that\r\nbase64-decodes the contents can be easily identified by ChatGPT.\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 8 of 11\n\nEncryption\r\nThe sample leverages code from the GitHub repo: agl/curve25519-donna to generate a curve25519-donna shared\r\nkey which is then SHA512-hashed. The first 16 bytes of the SHA512 hash is used as a key for AES-128\r\nencryption. The threat actor’s curve25519-donna public key is hardcoded in the sample in base64 form.\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 9 of 11\n\nThe sample employs intermittent encryption. It encrypts 1MB at a time every 6MB of the file. After encrypting\r\nthe file contents, it will append the previously generated curve25519-donna public key ( mypublic in snap\r\nabove and below) and INC string to the end of the file.\r\nThe threat actor can use their own curve25519-donna private key and the public key at the end of the encrypted\r\nfile to generate the shared key. It can then be SHA512-hashed where the first 16 bytes is the key to AES-128-\r\ndecrypt the file contents.\r\nSummary\r\nThe INC ransomware variant used in this analysis has typical ransomware capabilities - terminate ESXi VMs,\r\nintermittent encryption leveraging asymmetric/symmetric cryptography, etc. The main goal of this analysis was to\r\ndemonstrate the usage of the ELFEN sandbox to quickly get insights into a given malware sample.\r\nELFEN supports features such as:\r\nAnalysis and detection of Linux malware targeting x86-64, ARMv5, MIPS and PowerPC architectures.\r\nTracing files, processes, network-related syscalls and some libc string-related functions.\r\nPCAP capture and protocol analysis.\r\nMemory dumps and capturing dropped files\r\nand more!\r\nIf you’ve not already, give ELFEN a try!\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 10 of 11\n\nReferences\r\n1. ELFEN\r\n2. Malpedia\r\n3. Why we use setsid() while daemonizing a process?\r\n4. Inc. Ransom\r\n5. @MalwareHunterTeam\r\n6. ChatGPT\r\n7. GitHub agl/curve25519-donna\r\n8. AES key schedule\r\n9. AES Key Expansion\r\nSource: https://nikhilh-20.github.io/blog/inc_ransomware/\r\nhttps://nikhilh-20.github.io/blog/inc_ransomware/\r\nPage 11 of 11\n\nEncryption The sample leverages code from the GitHub repo: agl/curve25519-donna  to generate a curve25519-donna shared\nkey which is then SHA512-hashed. The first 16 bytes of the SHA512 hash is used as a key for AES-128\nencryption. The threat actor’s curve25519-donna public key is hardcoded in the sample in base64 form.\n   Page 9 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://nikhilh-20.github.io/blog/inc_ransomware/"
	],
	"report_names": [
		"inc_ransomware"
	],
	"threat_actors": [
		{
			"id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d",
			"created_at": "2024-11-01T02:00:52.730802Z",
			"updated_at": "2026-04-10T02:00:05.330644Z",
			"deleted_at": null,
			"main_name": "INC Ransom",
			"aliases": [
				"INC Ransom",
				"GOLD IONIC"
			],
			"source_name": "MITRE:INC Ransom",
			"tools": [
				"PsExec",
				"Nltest",
				"Rclone",
				"AdFind",
				"esentutl",
				"INC Ransomware"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434220,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e11a0b81063e773aaf8d0e9fdb35d78a550ad249.pdf",
		"text": "https://archive.orkl.eu/e11a0b81063e773aaf8d0e9fdb35d78a550ad249.txt",
		"img": "https://archive.orkl.eu/e11a0b81063e773aaf8d0e9fdb35d78a550ad249.jpg"
	}
}