Detection Guide: INC Ransom Ransomware

Behavioral Indicators

INC Ransom exhibits several distinct runtime behaviors that can be detected by endpoint monitoring solutions. Upon execution, the malware typically spawns from a user-writable directory, often masquerading as a legitimate system process. A common process creation chain involves the initial executable spawning cmd.exe or powershell.exe to execute commands for disabling security measures. Specifically, look for commands that attempt to stop or delete volume shadow copies (e.g., vssadmin delete shadows /all /quiet), disable Windows Defender services, or terminate processes related to database servers, backup software, and security tools.

The malware makes specific API calls to enumerate and lock files for encryption. Monitor for high-frequency calls to FindFirstFileW/FindNextFileW and CreateFileW with write access modes targeting a wide range of file extensions. INC Ransom is known to skip certain system and program directories to maintain system stability. It also calls cryptographic APIs (like CryptEncrypt) and may attempt to use Windows Restart Manager APIs (RmStartSession, RmRegisterResources) to close handles to files it intends to encrypt. Credential access patterns are less common, but the malware may attempt to read credentials from local stores if it includes functionality for lateral movement or to escalate privileges using tools like Mimikatz in earlier stages.

Network Indicators

INC Ransom’s network activity is primarily focused on command and control (C2) communication and, in some variants, data exfiltration prior to encryption. C2 communication often occurs over HTTPS to blend with normal traffic. Look for POST requests to domains with high entropy names (e.g., generated strings like kjahsdf[.]com or xkjhwe[.]top) containing encrypted payloads. The malware may beacon at regular intervals (e.g., every 5 to 10 minutes) to receive encryption keys or commands.

DNS queries for these same domains are a strong indicator. Some variants use hard-coded IP addresses for C2, so connections to unfamiliar external IPs on non-standard ports (e.g., 8080, 4444) should be investigated. Data exfiltration, if present, often involves large outbound transfers via FTP or HTTP/S to the same C2 infrastructure shortly before the encryption process begins. Network signatures include specific User-Agent strings (sometimes spoofed as common browsers) and unusual HTTP headers containing base64-encoded data.

File System Artifacts

INC Ransom creates several files during its execution. The ransomware executable is often dropped in user profile paths like %APPDATA%, %LOCALAPPDATA%, or %TEMP%, with names mimicking legitimate software (e.g., updater.exe, svchost.exe). After encryption, it drops a ransom note, typically named HOW_TO_RECOVER_FILES.txt or README_INC.txt, in every affected directory. The note contains instructions for contacting the attackers via a TOR payment site.

Encrypted files are appended with a specific extension. Historically, INC Ransom has used extensions like .inc, .inc-ransom, or a unique extension generated per victim (e.g., .id-[RANDOM_STRING]). Temporary files may be created during the encryption process and deleted afterward, but file system auditing might catch these as rapid create/delete events in user directories. Check for large numbers of files being modified in a short time frame, with size changes but similar timestamps.

Registry and Persistence Mechanisms

INC Ransom uses various methods to maintain persistence on infected systems. Common registry modifications include creating or modifying Run keys:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run

The malware may add an entry pointing to its executable path. It also might create scheduled tasks for persistence or to launch the payload after a reboot. Look for tasks with names like “UpdateChecker” or “SystemMonitor” that execute a script or binary from a user writable location. Some variants modify file type associations (e.g., HKCU\Software\Classes\.txt) to execute the ransomware when certain file types are opened, though this is less common. Additionally, the malware may disable Windows recovery and safe boot options by setting registry values like HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot subkeys.

YARA Rule Guidance

When developing YARA rules for INC Ransom, focus on unique strings and byte patterns from recent samples. Key indicators include:

• Ransom note strings: Look for phrases like “Your files are encrypted”, “INC Ransom”, “Contact us via TOR”, and specific TOR onion URLs (e.g., *.onion).
• File extension patterns: Strings related to the appended extensions, such as “.inc” or “id-”, often found in the binary’s data section.
• API function names: Imports or strings referencing vssadmin, bcdedit, WMIC, and cryptographic functions like CryptEncrypt.
• Hard-coded C2 domains/IPs: High-entropy domain names or IP addresses stored as strings.
• Debug paths: Sometimes samples contain PDB strings pointing to developer paths like C:\Users\Admin\Desktop\INC_Ransom\Release\.
• Encryption markers: Look for base64-encoded strings or specific patterns used as encryption markers in file headers.

Structure your rules to combine these elements, weighting unique ransom note text and C2 indicators heavily. Include condition checks for file size (typically between 100KB and 500KB for the main executable) and entropy to reduce false positives. Always test rules against the latest samples to ensure they remain effective.