S1139 INC Ransomware
INC Ransomware is a ransomware strain that has been used by the INC Ransom group since at least 2023 against multiple industry sectors worldwide. INC Ransomware can employ partial encryption combined with multi-threading to speed encryption.231
| Item | Value |
|---|---|
| ID | S1139 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 06 June 2024 |
| Last Modified | 28 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1486 | Data Encrypted for Impact | INC Ransomware can encrypt data on victim systems, including through the use of partial encryption and multi-threading to speed encryption.23452 |
| enterprise | T1491 | Defacement | - |
| enterprise | T1491.001 | Internal Defacement | INC Ransomware has the ability to change the background wallpaper image to display the ransom note.41 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | INC Ransomware can run CryptStringToBinaryA to decrypt base64 content containing its ransom note.4 |
| enterprise | T1652 | Device Driver Discovery | INC Ransomware can verify the presence of specific drivers on compromised hosts including Microsoft Print to PDF and Microsoft XPS Document Writer.4 |
| enterprise | T1083 | File and Directory Discovery | INC Ransomware can receive command line arguments to encrypt specific files and directories.42 |
| enterprise | T1490 | Inhibit System Recovery | INC Ransomware can delete volume shadow copy backups from victim machines.4 |
| enterprise | T1570 | Lateral Tool Transfer | |
| INC Ransomware can push its encryption executable to multiple endpoints within compromised infrastructure.3 | |||
| enterprise | T1680 | Local Storage Discovery | INC Ransomware can discover and mount hidden drives to encrypt them.4 |
| enterprise | T1106 | Native API | INC Ransomware can use the API DeviceIoControl to resize the allocated space for and cause the deletion of volume shadow copy snapshots.4 |
| enterprise | T1135 | Network Share Discovery | INC Ransomware has the ability to check for shared network drives to encrypt.4 |
| enterprise | T1120 | Peripheral Device Discovery | INC Ransomware can identify external USB and hard drives for encryption and printers to print ransom notes.4 |
| enterprise | T1566 | Phishing | INC Ransomware campaigns have used spearphishing emails for initial access.2 |
| enterprise | T1057 | Process Discovery | INC Ransomware can use the Microsoft Win32 Restart Manager to kill processes with a specific handle or that are accessing resources it wants to encrypt.4 |
| enterprise | T1489 | Service Stop | INC Ransomware can issue a command to kill a process on compromised hosts.4 |
| enterprise | T1047 | Windows Management Instrumentation | INC Ransomware has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment.31 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1032 | INC Ransom | 41 |
References
-
Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024. ↩↩↩↩
-
SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024. ↩↩↩↩↩
-
Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. ↩↩↩↩
-
Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024. ↩