INC Ransom Incident Response Guide

Incident Triage Steps

Within the first 30 minutes of a suspected INC Ransom incident, rapid assessment is critical to limit damage and inform the response. This ransomware typically operates by encrypting files and appending a .encrypted extension, though variants may use other extensions. It often leaves a ransom note named HOW_TO_RECOVER_FILES.txt or similar in affected directories.

Immediate Actions:

1. Isolate the Initial System: Immediately disconnect the first identified infected system from the network, both wired and wireless. Do not power it off yet, as this destroys volatile evidence.
2. Assess Scope: Query your EDR solution or perform a rapid manual check on key servers and workstations for the following:
   • Files with the .encrypted extension.
   • The presence of the ransom note file.
   • Unusual process names or high CPU usage from cmd.exe, powershell.exe, or wscript.exe that may indicate encryption in progress.
3. Check for Data Exfiltration: INC Ransom operators often exfiltrate data prior to encryption. Review outbound network logs from your SIEM or firewall for:
   • Large, unusual data transfers to unknown external IP addresses or cloud storage domains in the hours/days before encryption began.
   • Connections to known or suspected command-and-control (C2) infrastructure. Check threat intelligence feeds for recent INC Ransom C2 indicators.
4. Identify Patient Zero: Examine logs for the initial execution. Look for malicious email attachments (e.g., .js, .vbs, .scr), exploit toolkits, or suspicious RDP login events that align with the timeline of the first encrypted file.

Evidence Collection

Before initiating containment or remediation, collect forensic evidence to understand the attack and for potential legal proceedings.

Volatile Data (From Live, Infected Systems):

• Memory Dump: Use a trusted, pre-installed forensic tool to capture the system’s RAM. This may contain encryption keys, malware binaries, and network connections.
• Running Processes: Execute tasklist /v and wmic process list full from a trusted command prompt. Save output to an external USB drive.
• Network Connections: Run netstat -anob to list active connections and the associated processes.

Persistent Artifacts (INC Ransom Specific):

• Ransom Note: Preserve a copy of the HOW_TO_RECOVER_FILES.txt or similarly named note. Note its location and content.
• Malicious Executables: Search for and preserve the initial dropper/payload. Common locations include %TEMP%, %APPDATA%, and C:\Windows\System32\.
• Pre-Encryption Artifacts: Check for logs or tools associated with data exfiltration, such as rclone, MegaSync, 7zip command-line usage in scheduled tasks or recent command history.
• Registry: Export relevant registry hives (e.g., HKLM\SOFTWARE, HKCU\SOFTWARE) and look for persistence mechanisms like Run keys or services created by the malware.
• Logs: Collect Security, System, and Application event logs from infected hosts. Also preserve firewall, proxy, and DNS logs from network appliances covering the 7-14 days prior to the incident.

Containment Procedures

Contain the outbreak while preserving evidence for eradication.

1. Network Segmentation:

   • Isolate entire affected subnets (e.g., VLANs) by disabling switch ports or applying strict firewall rules that block all traffic except for that from the incident response team.
   • If segmentation is slow, disconnect network cables at the switch level for critical infected assets.

2. Credential Reset:

   • Scope: Reset passwords for all local administrator accounts and domain admin accounts. Also reset credentials for any service accounts that were active on compromised systems. Assume the attackers have harvested credentials.
   • Procedure: Use a dedicated, clean administrative workstation to perform resets. Enforce strong, unique passwords and enable multi-factor authentication where possible.

3. C2 and Malware Communication Blocking:

   • Update firewall, proxy, and intrusion prevention system (IPS) rules to block all known INC Ransom C2 IPs and domains identified during triage and from threat intelligence.
   • Implement egress filtering to block outbound connections on uncommon ports that may be used for data exfiltration or C2 callbacks.

Eradication and Recovery

This phase focuses on complete removal and restoration of operations.

1. Eradication:

   • Follow the detailed, step-by-step instructions in the dedicated Removal Guide for each affected system. This includes killing malicious processes, deleting persistence mechanisms, and removing all malware-related files.
   • Do not simply delete encrypted files and the ransom note; ensure the underlying malware executable and its artifacts are fully removed.

2. Recovery from Backups:

   • Verification: Before restoration, verify your backups are clean and from a point-in-time prior to the earliest evidence of compromise. Scan backup media with updated antivirus and EDR tools.
   • Restoration: Restore encrypted data from clean, offline backups. Prioritize critical business systems.
   • Validation: After restoration, verify file integrity and system functionality. Monitor restored systems closely for any signs of recurring malicious activity.

3. Verifying a Clean State:

   • Perform a full anti-malware scan with updated signatures on all affected systems post-recovery.
   • Use a host-based forensic tool to re-examine systems for any remaining IOC’s (Indicators of Compromise) related to INC Ransom.
   • Monitor network traffic from recovered systems for several days to ensure no beaconing or communication with C2 infrastructure persists.

Lessons Learned Checklist

After containment and recovery, conduct a formal review to improve security posture.

• Initial Infection Vector: How did INC Ransom gain initial access? (e.g., Phishing email, Exploited vulnerability, Compromised RDP).
• Control Failures: Which security controls failed or were absent?
  • Was email filtering insufficient to block the malicious attachment?
  • Were endpoints missing EDR or had outdated signatures?
  • Were critical vulnerabilities unpatched on the initial access point?
• Detection Gaps: Where were the detection failures?
  • Did alerts for suspicious process creation (powershell.exe spawning cmd.exe) go unnoticed?
  • Were large outbound data transfers (exfiltration) not monitored or alerted on?
  • Could earlier stages (reconnaissance, lateral movement) have been detected with better SIEM rules or network monitoring?
• Response Improvements: What can be improved in the response process?
  • Was the incident response plan followed effectively?
  • Was evidence collection swift and thorough?
  • Could containment have been faster with automated playbooks?
• Preventive Actions: What specific changes will be made?
  • Implement application allow-listing on critical servers.
  • Enforce network segmentation to limit lateral movement.
  • Mandate multi-factor authentication for all remote access and privileged accounts.
  • Enhance user training with specific examples from this phishing campaign.

For detailed instructions on removing INC Ransom from an individual system, refer to the Removal Guide. To understand the indicators and behaviors for proactive hunting, see the Detection Guide. For general information about this threat, visit the INC Ransom Overview.