Cybersecurity Snapshots - INC Ransom Group

By aekwall 

According to security researchers at WithSecure, almost half (29) of the 60 ransomware groups tracked by them in 2023 began operations this year. The researchers found that although more established groups (8Base, Alphv/BlackCat, Clop, LockBit, and Play) accounted for over half of data leaks in the first nine months of 2023, the new wave of ransomware variants is having an impact on the market. The researchers claimed that the groups that began operating in 2023 accounted for 25% of data leaks in the period. One of the new ransomware gangs, the INC Ransom group, emerged on the scene in early August 2023.

According to security researchers at SentinelOne, the group has been exploiting weaknesses in the Remote Desktop Protocol (RDP) and utilizing purchased valid account credentials, typically acquired through Initial Access Brokers (IABs). The researchers had seen INC Ransom exploiting CVE-2023-3519, a critical-severity NetScaler ADC and NetScaler Gateway vulnerability that came to light in July when it was exploited as a zero-day by both financially motivated and state-sponsored threat actors. The researchers noted that INC Ransom's modus operandi includes leveraging living-off-the-land binaries (LOLBINs) such as WMIC.EXE and MSTC.EXE, among others, aiming to bypass detection technologies embedded in targeted environments. The victims, once infected, are ushered into a negotiation process via a TOR-based portal, with a stringent 72-hour window to comply with the payment demands before their data gets published.

Since the group's inception, the ransomware gang has claimed to have hacked into the systems of a dozen organizations, including WellLife Network, Decatur Independent School District, Guardian Alarm, EFU Life Assurance, Global Export Marketing, and recently Yamaha Motor.

Since this ransomware group is so new, security researchers are still learning about it. Organizations must keep up to date with new ransomware gangs being formed to know how to best protect themselves from them. INC Ransom is expected to claim many more victims in the future. 

To see previous articles, please visit the Cybersecurity Snapshots Archive

Submitted by Gregory Rigby on