Live Latest activity →

INC Ransom - Protection Guide

Last updated: 2026-04-21

Protection Guide Against INC Ransom Malware

Attack Vectors to Block

INC Ransom primarily enters networks through common but effective intrusion methods. Blocking these vectors requires a layered defense strategy.

Phishing Emails with Malicious Attachments: Attackers distribute INC Ransom via emails containing weaponized documents (e.g., .doc, .xls, .pdf) or archive files (.zip, .rar). These often use social engineering lures like invoices or shipping notifications. Block this by implementing strict email gateway filtering for executable content and enabling macro security policies that prevent Office documents from fetching or executing remote templates.

Exploitation of Public-Facing Applications: INC Ransom operators scan for and exploit vulnerabilities in internet-facing services like Remote Desktop Protocol (RDP), VPN gateways, and web servers. Mitigate this by enforcing a rigorous patch management cycle for all external services. Implement network-level controls, such as placing RDP behind a VPN with multi-factor authentication (MFA) and using a web application firewall (WAF).

Malicious Websites and Drive-by Downloads: Compromised or malicious websites may host INC Ransom payloads. Use a secure web gateway or proxy to block access to known malicious domains and categories (e.g., free file hosting, newly registered domains). Deploy browser isolation technologies for high-risk users.

Execution via Legitimate Tools (Living-off-the-Land): Post-infection, INC Ransom may use built-in system tools like PowerShell, WMI, or BITSAdmin for lateral movement and payload retrieval. Restrict and monitor the use of these tools through application control policies and enhanced command-line logging.

Email Security Configuration

Configure your organization’s email security gateway with the following specific rules to intercept INC Ransom phishing attempts.

Attachment Filtering Policies: Block emails containing executable file attachments with extensions like .exe, .scr, .js, .vbs, .ps1, and .bat. Treat archive files (.zip, .rar, .7z) with high suspicion. Implement a policy that quarantines all password-protected archives for manual review, as these are commonly used to bypass signature-based detection. Enable real-time file type verification to detect file extension spoofing.

URL Defense and Link Analysis: Enable time-of-click URL analysis for all links within emails. Any link that points to a newly registered domain (less than 30 days old) or a domain with a poor reputation score should be blocked or have access sandboxed. Rewrite all HTTP links to pass through your secure proxy for inspection.

Content and Sender Impersonation Rules: Deploy advanced impersonation protection to detect display name spoofing and lookalike domains targeting your organization. Set up strict DMARC policies (enforcement mode: reject) for your own domains to prevent them from being used in phishing campaigns. Quarantine emails with subject lines and body text matching common INC Ransom lures, such as “Urgent Invoice,” “Payment Details,” or “Shipping Confirmation.”

Endpoint Protection Tuning

Harden endpoints with configurations designed to detect and prevent the specific behaviors of INC Ransom.

Behavioral Detection Rules: Configure your EDR solution to generate high-severity alerts for the following activities, which are indicative of ransomware:

  • Rapid, sequential encryption of files across multiple directories.
  • Process attempts to delete Volume Shadow Copies using commands like vssadmin delete shadows.
  • Modification of a large number of file extensions to a new, consistent extension (e.g., .inc).
  • Attempts to disable or tamper with endpoint security services.

Application Control and Restriction Policies: Implement a dedicated application control policy to block the execution of binaries from high-risk locations, including user Downloads folders, Temp directories, and network shares. Specifically, restrict the execution of rundll32.exe, regsvr32.exe, mshta.exe, and wscript.exe from these paths. Enforce code signing policies where feasible to allow only approved, signed scripts.

Script Execution Hardening: Disable Windows Script Host (wscript.exe and cscript.exe) for non-administrative users via Group Policy. For PowerShell, enforce Constrained Language Mode and enable deep script block logging (Module Logging and Script Block Logging) to capture the full command content. Configure your EDR to block PowerShell scripts from making web requests (Invoke-WebRequest) or executing base64-encoded commands.

Network-Level Defenses

Disrupt INC Ransom’s ability to communicate and retrieve payloads by implementing robust network security controls.

DNS Filtering and Sinkholing: Configure internal DNS resolvers to forward all queries to a DNS filtering service. Create policies to block requests to domains categorized as malware, phishing, and newly seen domains. Proactively sinkhole known INC Ransom command-and-control (C2) domains and IPs by creating DNS A record entries that point to a non-routable internal IP address (e.g., 127.0.0.1). Regularly update these blocklists using the latest IOCs.

Outbound Proxy and Firewall Rules: Force all outbound HTTP/HTTPS and FTP traffic through a secure web gateway. Create explicit firewall deny rules at the network perimeter for known malicious IP addresses associated with INC Ransom infrastructure. Implement egress filtering to block outbound connections on non-standard ports commonly used for data exfiltration or C2 (e.g., ports 8080, 8443, 53).

Network Segmentation and Traffic Monitoring: Segment critical network zones (e.g., finance, backups) from general user networks. Enforce strict access control lists (ACLs) between segments to prevent lateral movement. Deploy a network intrusion detection/prevention system (NIDS/NIPS) and configure it to alert on traffic patterns matching ransomware activity, such as large volumes of SMB traffic followed by connections to external IPs.

User Awareness Training Points

Educate users to recognize and report the specific social engineering tactics used by INC Ransom distributors.

Spotting Phishing Lures: Train users to be skeptical of unsolicited emails, especially those conveying urgency or fear regarding financial documents, legal notices, or missed deliveries. Emphasize that legitimate organizations will not ask them to enable macros or run executable files to view a document. Instruct them to verify the sender’s email address carefully, not just the display name.

Safe Handling of Attachments and Links: Drill the principle: “If you weren’t expecting it, don’t open it.” Teach users to hover over links to preview the actual URL before clicking. Reinforce that they must never enable editing or macros in an Office document received via email unless they have explicitly confirmed its legitimacy through a secondary channel (e.g., a phone call).

Reporting Procedures: Make the process for reporting suspicious emails simple and clear (e.g., a dedicated “Report Phish” button). Encourage a culture where reporting is praised, not criticized. Train users to immediately report any unusual system behavior, such as slow file access, renamed files, or ransom notes appearing on their screen or in directories.

For detailed information on how INC Ransom is distributed, refer to the Distribution Methods. To obtain the latest technical indicators for blocking and detection, consult the Current IOCs. A general overview of this threat is available on the INC Ransom Overview page.

Related

← INC Ransom Overview How to Detect Removal Guide Incident Response IOCs Samples All Families