Overview
INC Ransom emerged in mid-2023 as a ransomware-as-a-service operation, with its name derived from the .inc file extension appended to encrypted files. The group behind it operates on a double-extortion model, where they not only encrypt victim data but also exfiltrate it, threatening to publish it on a leak site if ransom demands are not met. This approach aligns with trends seen in other ransomware families like LockBit and ALPHV, though INC Ransom is considered a smaller, independent actor without clear ties to major threat groups. Its trajectory has involved targeting various sectors, with a focus on organizations in North America and Europe. Recent developments indicate ongoing activity, with the group refining its tactics and expanding its victim base, though it remains less prominent compared to larger ransomware operations. The operators have shown adaptability, adjusting their methods in response to security measures, but public reporting on their specific affiliations or origins is limited, suggesting a relatively new or niche presence in the ransomware landscape.
Capabilities
INC Ransom encrypts files on victim systems using a strong encryption algorithm, typically appending the .inc extension to affected files. It employs a multi-stage execution process, often dropping additional payloads to evade detection. Persistence mechanisms include creating scheduled tasks or registry entries to ensure the malware runs after system reboots. The command-and-control architecture is based on standard HTTP or HTTPS communication with hardcoded domains or IP addresses, allowing operators to issue commands and receive stolen data. Anti-analysis techniques involve obfuscation of code, string encryption, and checks for virtual environments or debugging tools to hinder reverse engineering. The malware also terminates security-related processes and deletes shadow copies to prevent recovery, enhancing its disruptive impact. Data exfiltration is a key capability, with the malware scanning for sensitive files and uploading them to remote servers before encryption, supporting the double-extortion strategy. These technical features make it a persistent threat, though its complexity is moderate compared to more advanced ransomware families.
Distribution Methods
Initial access for INC Ransom typically involves phishing emails with malicious attachments or links, exploiting human error to deliver the payload. Other common vectors include exploiting vulnerabilities in public-facing applications, such as remote desktop protocol servers or web servers, to gain unauthorized access to networks. The malware may also be distributed through drive-by downloads from compromised websites or via malvertising campaigns. Once inside a system, it often uses legitimate tools like PowerShell or Windows Management Instrumentation for lateral movement and privilege escalation, blending in with normal administrative activities. Delivery mechanisms include executable files disguised as documents or software installers, with social engineering tactics to trick users into executing them. The group has been observed using stolen credentials or brute-force attacks to infiltrate networks, though specific details on custom exploit kits or advanced persistent threats are not widely reported, indicating reliance on standard ransomware distribution methods.
Notable Campaigns
Public reporting on INC Ransom campaigns is limited, but it has been involved in incidents targeting small to medium-sized businesses, particularly in the healthcare and manufacturing sectors. One notable campaign in late 2023 affected several organizations in the United States, where the group encrypted systems and threatened to leak sensitive data if ransoms were not paid. These incidents often involve data theft from victim networks, with the group publishing samples on their leak site to pressure victims. Coordination with other threat actors or large-scale, widespread campaigns have not been widely documented, suggesting the family operates independently with a focus on opportunistic attacks. Victim organizations have reported disruptions to operations and financial losses, but details on specific high-profile targets or government attributions are scarce. The group’s activity appears sporadic, with no major international incidents reported, keeping its profile lower than more notorious ransomware families.
Detection & Mitigation
To defend against INC Ransom, organizations should implement behavioral detection signals such as monitoring for unusual file encryption activities, particularly the creation of .inc extensions, and alerts for processes that terminate security tools or delete shadow copies. Network indicators include traffic to known command-and-control domains or IP addresses associated with the malware, which can be blocked using firewalls or intrusion detection systems. Endpoint hardening involves applying the principle of least privilege, disabling unnecessary services like remote desktop protocol when not in use, and keeping software updated to patch vulnerabilities exploited for initial access. Operational mitigations include regular backups stored offline to enable recovery without paying ransoms, and employee training to recognize phishing attempts. Using endpoint detection and response solutions can help identify and contain the malware early, while segmenting networks limits lateral movement. Incident response plans should include steps for isolating affected systems and notifying authorities, as prompt action can reduce the impact of an attack.