``` THREAT ALERT # Threat Alert: INC Ransomware ###### Author: Cybereason Security Research Team ``` Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including new ransomware actors such as the emergent group INC Ransom. Cybereason Threat Alerts summarize these threats and provide practical recommendations for protecting against them. ## KEY DETAILS - Targets US & western countries: Similar to many other ransomware groups, INC Ransom’s operators appear to mainly target the United States and European countries. - Partial encryption: To accelerate encryption, INC ransomware employs partial encryption combined with a multi-threading approach. - Sharing Lockbit blog design: The UI of LockBit’s and INC’s leak blogs carry some key similarities. ## WHAT’S HAPPENING? INC Ransom is a new ransomware group that emerged in August 2023, spreading ransomware with the same name. From the start of the operation till mid-September of the same year the group leaked the data of more than a dozen victims on their blog similarly to other groups of this type. The ransomware group exercises double and triple extortion on them. [The INC Ransom group was first observed by security researchers in early August](https://twitter.com/malwrhunterteam/status/1689029459255373826?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1689029459255373826%7Ctwgr%5E3c1ece7a60842b30436b7b6dadeb7ca042333bd8%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.huntress.com%2Fblog%2Finvestigating-new-inc-ransom-group-activity) 2023. The group’s victims are mostly businesses from the private sector and the victims list [also includes a government organization and a charity association. All known victims](https://twitter.com/BrettCallow/status/1704532305442910429) are exclusively from Western countries with the majority of them from the United States and Europe (a single victim was from Singapore). cybereason.com ----- Segmentation Of Victims By Industry & Country Of Origin Throughout the negotiation with the victims, the group publishes a “proof pack” consisting of several photos of private data (employer’s ID, professional charts, etc.), and additional information to motivate their victims to pay. In one case, the actor accused one of the victims of money laundering, implying that the victim had money to pay the ransom of 160,000 USD. In another case, the threat actor threatened two of the victim's customers to carry out a supply chain attack in case the victim, an IT provider, didn't pay the ransom. INC Ransom’s leak blog, besides hosting the published leaks, has light and dark UI options, a feedback box, and a link to the group’s Twitter account. The leaks blog user interface carries some similarities to LockBit 3.0’s Ransomware leak blog; however, as opposed to LockBit, INC does not charge for the leaked data. cybereason.com ----- LockBit 3.0’s Leak Blog INC’s Leak Blog Meanwhile, the victims have a separate site where the negotiation with the group is done. The site requires them to open a user account with the user ID that has been communicated in the ransom note, and a password of their choice. cybereason.com ----- INC’s Feedback Box INC’s Victim Sign In Page [When it comes to modus operandi, INC cases seem to be similar to other](https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity) ransomware groups. The group uses compromised credentials to gain access to a victim environment and move laterally using RDP (Remote Desktop Protocol). When compromising new machines, another credential theft command occurs using the scripts. Eventually, the operators deploy the ransomware using WMIC and PSEXEC. In order to exfiltrate data, the group was observed using the MegaSync tool, which has also been used by other ransomware group affiliates. cybereason.com ----- ## ANALYSIS In this section, the Cybereason team describes the INC ransomware behavior based on a dynamic and static approach, mainly relying on reverse-engineering of the ransomware samples we obtained. The ransomware's initial ability is dependent on the command-line arguments that the ransomware operator gives: - _- - file: Encrypt a given file_ - - - dir: Encrypt a given directory - _- - sup: stands for “stop using process”, killing a given process_ - _- - ens: encrypt network shares_ - _- - lhd: load hidden drives_ - _- - debug: Print messages to the screen about the encryption process_ Command-Line Arguments cybereason.com Command-Line Arguments ----- After setting the parameters, the ransomware decrypts its ransom notes. It uses the function CryptStringToBinaryA two times to decrypt content stored in base64 which contains the ransom note. Ransomware Note Decryption Process In each encrypted directory, the ransomware will drop two ransom notes, one as a _.txt file and the other in .html format._ cybereason.com ----- Decrypted Ransomware Note cybereason.com ----- #### Command-Line Arguments ##### Load Hidden Drives If the lhd (load hidden drives) parameter was set, the ransomware will check for any hidden drive (A-Z) to mount to encrypt it. Hidden Drive Encryption Function cybereason.com ----- ##### Encrypt Network Shares Next, if the parameter ens (encrypt network shares) parameter was set, the ransomware will check if there are any other kinds of shared data storage to encrypt: - _DRIVE_FIXED - external hard drives_ - _DRIVE_REMOVABLE - USB sticks_ - _DRIVE_REMOTE - shared network_ Network Share Encryption Function ##### Stop Using Processes If the argument –sup (stop using processes) is set, the ransomware will use the Microsoft Win32 application, Restart Manager, to kill any process that has a handle or accessing a resource that the ransomware wants to encrypt. This approach was also observed in other ransomware groups such as Lockbit, Babuk, and Royal. cybereason.com ----- Stop Using Processes Function cybereason.com ----- ### Deleting Shadow Copies After all the preparations are set, the ransomware will continue to delete the volume shadow copy backups from the victim's machine. It will use the API DeviceIoControl with the dwIoControlCode parameter set to 0x53C028. This code is translated to an undocumented IOCTL “IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE” which resizes the allocated space for shadow copies snapshots and causes the deletion of them. Volume Shadow Copy Deletion Function cybereason.com ----- ### Exclusions Before encrypting, INC will inspect the file and exclude it from encryption if it has one of the following extensions: _●_ _.msi_ _●_ _.exe_ _●_ _.dll_ _●_ _.inc_ File Encryption Exclusions In addition to extensions, it will exclude the directories that contain the following string in their names: - Windows - Program files - Program files (x86) - $RECYCLE.BIN - appdata - INC cybereason.com ----- File Directory Exclusions ### PhysicallyPrinting The Ransom Note INC ransomware actively seeks out available printers in the network and sends the command to print the ransom note. INC verifies the presence of the specific drivers, Microsoft Print to PDF or Microsoft XPS Document Writer, on the targeted host system. It then tries to print the ransom note through the printer connected to it. This approach not only adds an extra layer of intimidation to its victims but also serves as a visual reminder of the intrusion. cybereason.com ----- Ransomware Note Print Function cybereason.com ----- ### Changing The Wallpaper Another notable capability of INC ransomware is the ability to change the host background wallpaper image. At the end of the attack, INC changes the background wallpaper and displays the ransom note on the screen using the “Fixedsys” font. Ransomware Notification Ransomware Background Display Modification Function cybereason.com ----- ## Encryption Process INC uses multi-threading to speed up the encryption process. The number of threads will be the number of processors multiplied by 4. In addition, to synchronize the threads, INC will choose to use Completion Ports. [According to MSDN, “I/O completion ports provide an efficient threading model for](https://learn.microsoft.com/en-us/windows/win32/fileio/i-o-completion-ports) processing multiple asynchronous I/O requests on a multiprocessor system”. Ransomware Multi-Threading Support Another approach to speeding up the encryption is partial encryption, INC implements its partial encryption in the following manner: - If the file is smaller than 1 MB: - The entire file will be encrypted - If the file is larger than 1 MB but smaller than 3MB: - 1 MB will be encrypted - The rest will not be encrypted - If the file is larger than 3MB: - Encryption intervals of encrypting 1MB and not encrypting 2MB cybereason.com ----- Ransomware Partial Encryption Schema The intervals of encryption can also be seen clearly in the process monitor. cybereason.com ----- Process Monitor Output During Partial Encryption cybereason.com ----- ## DETECTION AND PREVENTION ### Cybereason Defense Platform [The Cybereason Defense Platform is able to detect and prevent INC ransomware](https://www.cybereason.com/platform) infections using multi-layer malware protection that leverages threat intelligence, [machine learning, anti-ransomware, next-gen antivirus (NGAV), and Variant Payload](https://www.youtube.com/watch?v=GOswitXwSPI) [Prevention capabilities.](https://www.youtube.com/watch?v=GOswitXwSPI) The Cybereason Defense Platform Detects & Prevents INC-related MalOp CYBEREASON RECOMMENDATIONS The Cybereason GSOC & Security Research teams recommend the following actions in the Cybereason Defense Platform: - Enable Application Control to block the execution of malicious files. - Enable Anti-Ransomware in your environment’s policies, set the [Anti-Ransomware mode to Prevent, and enable Shadow Copy detection to](https://www.cybereason.com/platform/ransomware-protection) ensure maximum protection against ransomware. - Enable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution prevention. cybereason.com ----- - To hunt proactively, use the Investigation screen in the Cybereason Defense Platform and the queries in the Hunting Queries section to search for machines that are potentially infected with INC Ransomware. - Based on the search results, take further remediation actions, such as isolating the infected machines and deleting the payload file. ## MITRE ATT&CK MAPPING **Tactic** **Technique or Sub-technique** [TA0005: Discovery](https://attack.mitre.org/tactics/TA0005) [T1083: File and Directory Discovery](https://attack.mitre.org/techniques/T1083/) [TA0007: Discovery](https://attack.mitre.org/tactics/TA0007/) [T1016: System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016/) [TA0007: Discovery](https://attack.mitre.org/tactics/TA0007/) [T1046: Network Service Discovery](https://attack.mitre.org/techniques/T1046/) [TA0007: Discovery](https://attack.mitre.org/tactics/TA0007/) [T1057: Process Discovery](https://attack.mitre.org/techniques/T1057/) [TA0007: Discovery](https://attack.mitre.org/tactics/TA0007/) [T1082: System Information Discovery](https://attack.mitre.org/techniques/T1082/) [TA0007: Discovery](https://attack.mitre.org/tactics/TA0007/) [T1135: Network Share Discovery](https://attack.mitre.org/software/S0575/) [TA0040: Impact](https://attack.mitre.org/tactics/TA0040) [T1486: Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/) [TA0040: Impact](https://attack.mitre.org/tactics/TA0040) [T1489: Service Stop](https://attack.mitre.org/techniques/T1489/) [TA0040: Impact](https://attack.mitre.org/tactics/TA0040) [T1490: Inhibit System Recovery](https://attack.mitre.org/techniques/T1490/) [TA0002: Execution](https://attack.mitre.org/tactics/TA0002/) [T1059: Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/) **Indicator** **Descriptio** **Indicators** **type** **n** INC fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a SHA256 Ransomwar 5deced e Binary cybereason.com |Tactic|Technique or Sub-technique| |---|---| |TA0005: Discovery|T1083: File and Directory Discovery| |TA0007: Discovery|T1016: System Network Confgi uration Discovery| |TA0007: Discovery|T1046: Network Service Discovery| |TA0007: Discovery|T1057: Process Discovery| |TA0007: Discovery|T1082: System Information Discovery| |TA0007: Discovery|T1135: Network Share Discovery| |TA0040: Impact|T1486: Data Encrypted for Impact| |TA0040: Impact|T1489: Service Stop| |TA0040: Impact|T1490: Inhibit System Recovery| |TA0002: Execution|T1059: Command and Scripting Interpreter| |Indicators|Indicator type|Descriptio n| |---|---|---| |fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a 5deced|SHA256|INC Ransomwar e Binary| ----- ### About the Authors Marina Popelov, Security Analyst, Security Research Team Marina is a security and threat intelligence analyst at Cybereason. She began her career in the Israeli Defence Forces (IDF) as an open source intelligence analyst (OSInt) analyst and today specializes in web and dark web intelligence. Eli Salem, Security & Malware Researcher, Security Research Team Eli is a Security and malware reverse engineer at Cybereason. He has worked in the private sector of the cybersecurity industry since 2017. In his free time, he publishes articles about malware research and threat hunting. Alon Laufer, Security Researcher, Security Research Team Alon Laufer is a Security Researcher at the Cybereason Security Research Team. He began his career in the Israeli Air Force where he was responsible for protecting critical infrastructure. Alon is interested in malware analysis, digital forensics, and incident response. Mark Tsipershtein, Security Researcher Security Research Team Mark Tsipershtein, a cyber security analyst at the Cybereason Security Research Team, focuses on analysis automation and infrastructure. Mark has more than 20 years of experience in SQA, automation, and security testing. cybereason.com -----