What is INC Ransomware?

INC is the name of a ransomware-as-a-service (RaaS) operation that first appeared in late summer 2023. Like many other cybercriminal groups, the administrators of INC provide the malware and infrastructure for the attacks. Affiliates of the INC ransomware group carry out the actual attacks themselves, sharing profits they make from blackmailing companies with the core team.

Presumably once they've broken in they encrypt your systems, and then threaten to leak the data they've stolen?

Yup. It's pretty much the standard modus operandi used by most ransomware groups today - your staff are locked out of your company's data (meaning that work cannot proceed as normal) unless a ransom is paid for a decryption key. And - just in case you have an unencrypted backup to recover from without having to cough up a ransom - the hackers threaten to release exfiltrated data via their dark web site, where it could prove embarrassing or be exploited by others.

So how do the hackers gain access to my company in the first place?

There are a number of methods. They might have purchased working login credentials from other hackers (known as initial access brokers) who targeted users with phishing attacks or malicious attachments. Or they could have exploited known vulnerabilities, or weak or default passwords on publicly accessible RDP services or web apps.

So they're not reinventing the wheel?

Why bother reinventing the wheel if it gets you effectively where you want to go. If cybercriminals find a simple method works to breach your network, they're happy to use it.

So why is INC ransomware in the news now?

According to media reports, INC has claimed responsibility for an attack in August against the Pennsylvania Attorney General's Office that saw its website, email and phone service disrupted and staff unable to access internal systems. Criminal and civil cases were put on hold in the wake of the attack.

Nasty. So, has the ransom been paid?

Earlier this month, the Pennsylvania Attorney General's Office published a statement (since removed from its website) saying that it had "not made any such payment." Since then, researchers at Comparitech reported that the ransomware group has published images on the dark web of what it claims to be documents stolen during the attack. 

Normally ransomware gangs are true to their word - and do not release data if they have received a ransom payment. In all, INC claims to have stolen 5.7 TB of data during the attack.

Hang on. Are you saying that if you do pay a ransomware attacker you can trust them?

It's not quite as simple as that. After all, someone who has hacked their way into your business and committed a criminal act can barely be considered as a fine and upstanding individual of unimpeachable morals.

But think about it this way - if word gets around that a particular ransomware group can not be trusted to not leak data after they have been paid a ransom then word will get around pretty quickly - and that will mean that no victims would ever pay them in future. INC may be a criminal group. But it still has enough business sense to realise how to not damage its chances of successfully extorting more victims in the future.

I guess that makes sense. But I still don't like the idea of paying them anything.

You and me both. But sometimes, for some companies, it may be the least-worse option. It should be noted that law enforcement and cybersecurity agencies typically strongly advise against paying ransoms.

Fair enough. So once they have broken into your network, what do they do then?

Once inside, hackers move laterally across your network, escalate their privileges, and deploy ransomware to encrypt your files. Of course, before encrypting them they will also attempt to exfiltrate the sensitive data they find for extra blackmail leverage.

And how will I know I have fallen victim?

Your users will pretty quickly realise that their systems are locked, that files have been renamed, and a ransom note has been left explaining how to make contact with the extortionists.

You've told me about what happened in Pennsylvania, but who else has this group targeted?

INC has claimed responsibility for attacks on manufacturing firms, healthcare providers (including a children's hospital in Liverpool), manufacturing firms (including Yamaha's Philippines subsidiary), financial service companies, law firms, and more across North America, Europe, and Asia. Earlier this month, a government ministry in Panama was also reportedly targeted.

So they're not fussy?

No, they don't seem to be that bothered about who they try to extort money from.

Have police taken any action against INC ransomware?

So far, INC has not been the subject of the kind of major public takedowns that we have seen against the likes of LockBit or Hive. That said, law enforcement agencies are well aware of INC's activity, and international efforts are ongoing to disrupt their infrastructure and trace cryptocurrency paid to them in the form of ransoms.

So what should my business be doing to protect itself?

Organisations who feel they may be at risk of being hit by INC ransomware and its ilk would be wise to follow Fortra's general advice for defending against ransomware attacks, which includes tips such as enforcing multi-factor authentication, running up-to-date security solutions, and keeping software patches up-to-date.

In addition, we recommend that all companies follow best practices for defending against ransomware attacks, which include tips such as:

• Making secure off-site backups.
• Using hard-to-crack, unique passwords to protect sensitive data and accounts.
• Encrypting sensitive data wherever possible.
• Reducing the attack surface by disabling functionality that your company does not need.
• Educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.