Live Latest activity →

INC Ransom - Removal Guide

Last updated: 2026-04-21

INC Ransom Malware Removal Guide

Signs of Infection

INC Ransom infection manifests through distinct system and network changes. On the file system, look for a ransom note file, typically named HOW_TO_RECOVER_FILES.txt or README_INC.txt, placed in multiple directories, especially on network shares and user desktops. Encrypted files will have their original extensions appended with a new extension, often .inc or a unique identifier string provided by the attackers. Check for suspicious executable files in temporary directories (%TEMP%, %APPDATA%, C:\Windows\Temp) with random alphanumeric names. In the registry, examine the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run keys for unfamiliar entries pointing to these suspicious executables.

Process behavior includes high CPU and disk activity from a process with a random name, often masquerading as a legitimate system process. You may observe vssadmin.exe or wbadmin.exe being invoked to delete Volume Shadow Copies, preventing file recovery. Network signs include outbound connections to suspicious IP addresses or domains associated with the ransomware’s command-and-control (C2) infrastructure, often using HTTPS on non-standard ports. Internal network scanning traffic (SMB, RDP) from the infected host may indicate lateral movement attempts.

Immediate Containment Steps

Within the first 15 minutes of detection, take these steps to prevent spread and data loss. First, immediately disconnect the infected host from the network-disable both wired and wireless adapters. If the host is a critical server, power it down if business continuity allows. Isolate the host logically by adjusting firewall rules or network access control lists to block all traffic to and from its IP address. Identify and terminate the malicious process using your EDR console or task manager; look for processes with high file system I/O and random names. Force-terminate associated processes like cmd.exe or powershell.exe with suspicious parent processes.

Prioritize credential rotation for any accounts that were active on the infected host, especially local administrator and domain administrator accounts. Change passwords for associated service accounts and disable any cached credentials. If the host is part of a Windows domain, consider resetting the Kerberos ticket-granting ticket (TGT) for the machine account. Notify your security team to begin forensic data collection from memory and disk before proceeding with removal.

Manual Removal Process

Warning: Manual removal is complex and may not restore encrypted files. Ensure you have isolated the host and have backups.

  1. Terminate Malicious Processes:

    • Open Task Manager or a process management tool.
    • Sort by CPU or Disk I/O. Look for processes with random names (e.g., f7s83hd.exe, svchostx.exe).
    • Right-click and select “End Process Tree”. Note the full file path of the executable.

  2. Delete Persistence Mechanisms:

    • Open the Windows Registry Editor (regedit.exe).
    • Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
    • Look for entries with random names or pointing to the file path noted in Step 1. Right-click and delete these entries.
    • Check scheduled tasks: Open Task Scheduler and review recent tasks for entries with random names or triggers set to run at system startup/user logon. Delete any suspicious tasks.

  3. Remove Dropped Files:

    • Navigate to the file path of the malicious executable (commonly in %TEMP%, %APPDATA%, or C:\Windows\Temp).
    • Delete the executable file and any associated batch (.bat) or script files (.vbs, .ps1).
    • Search for and delete the ransom note file (HOW_TO_RECOVER_FILES.txt, README_INC.txt) from user desktops and root drives.

  4. Clean Registry Entries (Advanced):

    • In Registry Editor, search (Ctrl+F) for the name of the malicious executable or the unique extension used for encrypted files.
    • Carefully delete any keys or values found that are clearly related to the malware. Avoid modifying system-critical keys.
    • A common location for file association hijacking is HKEY_CLASSES_ROOT\<malware_extension>. If present, delete the entire key.

Verifying Removal

After completing the manual steps, reboot the host and verify cleanup. Use a reputable anti-malware scanner to perform a full system scan, focusing on memory, boot sectors, and registry hives. Monitor the host’s process list and network connections for 24-48 hours using your EDR solution or network monitoring tool. Look for the re-emergence of the malicious process or outbound calls to known INC Ransom C2 IPs/domains.

Check Windows Event Logs for related activity. In Event Viewer, review Security logs for unusual logon events (Event ID 4624, 4625) and System logs for service creation errors (Event ID 7045). Application logs may contain errors from the ransomware process. Verify that no new files with the .inc extension (or other ransom extension) are being created. Ensure Volume Shadow Copy service is running and that shadow copies can be created.

Post-Removal Security Hardening

To prevent reinfection, address the initial attack vector. INC Ransom often spreads via phishing, RDP brute-forcing, or exploitation of unpatched vulnerabilities. Implement an application allow-listing policy to block execution from user writable directories like %TEMP% and %APPDATA%. Harden RDP access by enforcing Network Level Authentication (NLA), changing the default port, and implementing an account lockout policy. Ensure all systems are patched, prioritizing vulnerabilities in commonly exploited software like web browsers, Office suites, and VPN clients.

Update your email filtering rules to block attachments with double extensions (e.g., .pdf.exe) and enable macro execution controls. Configure your EDR solution to generate alerts for processes attempting to delete Volume Shadow Copies (vssadmin delete shadows) or disable Windows recovery features. Create and test a robust, offline backup strategy with the 3-2-1 rule (3 copies, 2 media types, 1 offsite). Segment your network to limit lateral movement, especially restricting SMB and RDP traffic between workstations and servers. Finally, conduct user awareness training focused on identifying phishing attempts and reporting suspicious activity.

For the latest indicators of compromise, refer to the Current INC Ransom IOCs. To understand detection efficacy, review the Detection Rate. For more background on this threat, see the INC Ransom Overview.

Related

← INC Ransom Overview How to Detect Incident Response Protection Guide IOCs Samples All Families