G1032 INC Ransom
INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.4213
| Item | Value |
|---|---|
| ID | G1032 |
| Associated Names | GOLD IONIC |
| Version | 1.0 |
| Created | 06 June 2024 |
| Last Modified | 28 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| GOLD IONIC | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.002 | Domain Account | INC Ransom has scanned for domain admin accounts in compromised environments.5 |
| enterprise | T1071 | Application Layer Protocol | INC Ransom has used valid accounts over RDP to connect to targeted systems.6 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | INC Ransom has used 7-Zip and WinRAR to archive collected data prior to exfiltration.6157 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | INC Ransom has used cmd.exe to launch malicious payloads.6 |
| enterprise | T1486 | Data Encrypted for Impact | INC Ransom has used INC Ransomware to encrypt victim’s data.364125 |
| enterprise | T1074 | Data Staged | INC Ransom has staged data on compromised hosts prior to exfiltration.65 |
| enterprise | T1190 | Exploit Public-Facing Application | INC Ransom has exploited known vulnerabilities including CVE-2023-3519 in Citrix NetScaler for initial access.53 |
| enterprise | T1657 | Financial Theft | INC Ransom has stolen and encrypted victim’s data in order to extort payment for keeping it private or decrypting it.24153 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | INC Ransom can use SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender.7 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | |
| INC Ransom has uninstalled tools from compromised endpoints after use.7 | |||
| enterprise | T1105 | Ingress Tool Transfer | INC Ransom has downloaded tools to compromised servers including Advanced IP Scanner. 67 |
| enterprise | T1570 | Lateral Tool Transfer | |
| INC Ransom has used a rapid succession of copy commands to install a file encryption executable across multiple endpoints within compromised infrastructure.61 | |||
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.65 |
| enterprise | T1046 | Network Service Discovery | INC Ransom has used NETSCAN.EXE for internal reconnaissance.53 |
| enterprise | T1135 | Network Share Discovery | INC Ransom has used Internet Explorer to view folders on other systems.6 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | INC Ransom has acquired and used several tools including MegaSync, AnyDesk, esentutl and PsExec.26573 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | INC Ransom has enumerated domain groups on targeted hosts.6 |
| enterprise | T1566 | Phishing | INC Ransom has used phishing to gain initial access.53 |
| enterprise | T1219 | Remote Access Tools | |
| INC Ransom has used AnyDesk and PuTTY on compromised systems.6573 | |||
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | |
| INC Ransom has used RDP to move laterally.2657 | |||
| enterprise | T1049 | System Network Connections Discovery | INC Ransom has used RDP to test network connections.5 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | INC Ransom has run a file encryption executable via Service Control Manager/7045;winupd,%SystemRoot%\winupd.exe,user mode service,demand start,LocalSystem.6 |
| enterprise | T1537 | Transfer Data to Cloud Account | INC Ransom has used Megasync to exfiltrate data to the cloud.1 |
| enterprise | T1078 | Valid Accounts | |
| INC Ransom has used compromised valid accounts for access to victim environments.2657 | |||
| enterprise | T1047 | Windows Management Instrumentation | INC Ransom has used WMIC to deploy ransomware.265 |
Software
References
-
Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024. ↩↩↩↩↩↩↩↩↩↩↩
-
Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. ↩↩↩↩↩↩↩↩↩
-
SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024. ↩↩↩↩↩↩↩↩↩↩
-
Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024. ↩↩↩
-
SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024. ↩↩↩↩↩↩↩↩↩↩