INC. Ransom: Complete Guide on the new Cyber Threat

INC. Ransom represents a new breed of ransomware operations that go beyond mere data encryption for financial gain. Its calculated methodology, broad target scope, and innovative approach to extortion reveal a level of sophistication that organizations must contend with in the ever-evolving landscape of cyber threats.

SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against malware attacks. And, in case of a cyber attack, contact our malware recovery experts immediately.

What is INC. Ransom

The INC. Ransom is a formidable adversary for cybersecurity services and IT teams alike. Emerging onto the scene in July 2023 as a ruthless ransomware extortion operation, its origin traces back to a calculated approach, positioning itself as a service for victims rather than just a malicious entity.

The modus operandi of INC. ransomware reflects a sophisticated and adaptable methodology. While the ransom payment is a central component, the operators cleverly intertwine the notion of reputation protection for victims. The threat actors indicate that paying the ransom will secure the victim’s reputation by preventing the exposure of their methods.

The threat group exhibits a lack of discrimination in its choice of targets, with victims spanning various industries, including healthcare, education, and government entities.

The encryption methodology employed by INC. Ransom is meticulous and strategic. The ransomware supports various command-line arguments, allowing threat actors flexibility in targeting specific files, directories, or even network shares.

Everything we know about INC. Ransom

Confirmed Name

• INC virus

INC. Ransom decryptor

• There is no public decryption key for INC. Ransom by the time of the publication of this article.

Threat Type

• Ransomware
• Crypto virus
• Files locker
• Data leak

Encryption file extension

• .INC

Ransom note file name

• INC-README.txt
• INC-README.html
• desktop wallpaper

Detection names

• Avast Win32:RansomX-gen [Ransom]
• Emsisoft Gen:Heur.Ransom.Imps.1 (B)
• Kaspersky Trojan-Ransom.Win32.Inc.a
• Malwarebytes Ransom.IncRansom
• Microsoft Ransom:Win32/IncRansom.YAA!MTB
• Sophos Troj/Ransom-GYR

Distribution methods

• Phishing emails
• Malicious Ads (Malvertising)
• Exploit kits
• Remote Desktop Protocol (RDP)

INC. Ransom methods of infection and execution

The INC. Ransom cyber threat group is a new ransomware group that differs in methodology and techniques from most ransomware. Here are the steps it takes from initial access to encryption and communication with victims.

1. Initial Access

INC. Ransom employs diverse methods for gaining initial access to its victims. Among these, spear-phishing emails serve as a common vector, exploiting human vulnerabilities to trick individuals into clicking malicious links or downloading infected attachments.

Additionally, observed instances include the exploitation of vulnerabilities, such as the utilization of CVE-2023-3519 in Citrix NetScaler, showcasing a technical approach to initial access.

2. Internal Reconnaissance and Lateral Movement

Once inside the victim’s environment, INC. Ransom initiates a meticulous process of internal reconnaissance and lateral movement.

The threat actors utilize a diverse toolkit that allows them to navigate through the victim’s network, identifying valuable targets for encryption.

The toolkits are used in applications like:

NETSCAN.EXE

This is a multi-protocol network scanner and profiler. It allows network administrators and security professionals to scan and analyze network devices, services, and open ports.

NETSCAN.EXE performs tasks such as port scanning, service detection, and network profiling. Furthermore, it can be used for both local (within the same network) and remote (across different networks) scanning.

MEGAsyncSetup64.EXE

MEGAsyncSetup64.EXE is the desktop application associated with MEGA, a cloud storage and file-sharing service.

Users can install MEGAsyncSetup64.EXE on their computers to automatically sync files and folders between their local storage and MEGA. It provides seamless access to files across devices and ensures data consistency.

ESENTUTL.EXE

ESENTUTL.EXE is a Microsoft utility primarily used for database management and recovery. It allows administrators to perform tasks like database repair, compaction, and integrity checks. It’s essential for maintaining the health and reliability of ESE databases.

AnyDesk.exe

AnyDesk.exe is a remote management and remote desktop application. It enables users to access and control a remote computer from another device, regardless of the physical location.

3. Payload Deployment and Encryption

Payloads are malicious components or software that execute specific actions, such as unauthorized access, data encryption, or system manipulation, on the victim’s computer or network.

INC. Ransom’s payloads support various command-line arguments, offering a flexible approach to targeting specific files and directories. These arguments include:

• –file: Targets a specific file for encryption.
• –dir: Targets an entire directory for encryption.
• –sup: Stops a specified process.
• –ens: Encrypts network shares.
• –lhd: Encrypts local hidden drives, rendering them non-bootable.
• –debug: Outputs console-style debug logging.

In cases where command-line arguments are not specified, the payload systematically attempts to encrypt the entire local device, including all available volumes and files.

4. Volume Shadow Copy Deletion

To further solidify its grip on the victim’s data, INC. Ransom attempts to delete Volume Shadow Copies (VSS). While not consistently reproduced, this behavior is indicative of the ransomware’s attempt to eliminate potential avenues for data recovery, increasing the pressure on the victim to meet the ransom demands.

Volume Shadow Copy Service (VSS), also known as Volume Snapshot Service, is a crucial component in the Windows operating system that facilitates backup and restore operations without disrupting running applications.

5. Ransom Note Drop-Off

After encrypting files, INC. ransomware leaves a distinctive mark by dropping ransom notes in each encrypted folder. These notes, in both .TXT and .HTML formats (“INC-README.TXT” and “INC-README.HTML”), contain instructions for the victim.

Notably, the ransomware attempts to amplify its impact by outputting the HTML-formatted note to any connected and accessible printers or fax machines. This physical manifestation adds an extra layer of coercion and ensures that the victim is made acutely aware of the ransom demand.

Do not pay the ransom! Contacting a ransomware recovery service can not only restore your files but also remove any potential threat.

INC. Ransom Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.

They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.

INC. Ransom-specific IOCs

File Hash (Ransomware Binary):

• SHA256: fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced

Ransom Note Filenames:

• INC-README.TXT
• INC-README.HTML

Printed Ransom Note Output:

• INC. ransomware can print ransom notes to connected and accessible printers or fax machines. Any unexpected or unauthorized print jobs should be investigated.

INC. Ransom ransom note

The INC. Ransom ransom note serves as a crucial component in the ransomware’s extortion operation, conveying the threat actor’s demands and instructions to the victim.

The note implies that paying the ransom is not merely about retrieving encrypted data but is positioned as a method to “save their reputation.” Paradoxically, the attackers assert that by complying with the ransom demands, the victim’s environment would become “more secure” due to the revelation of their methods.

Victims are assigned a personal ID within the ransom notes, which they are instructed to use upon visiting the TOR-based payment portal for communication with the attackers.

How to handle an INC. Ransom attack

The first step to recovering from an INC. ransomware attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the FBI and the Internet Crime Complaint Centre (IC3).

To report a malware attack you must gather every information you can about it, including:

• Screenshots of the ransom note
• Communications with threat actors (if you have them)
• A sample of an encrypted file

However, if you prefer to contact professionals, then it’s best to leave every infected machine the way it is and ask for an emergency ransomware removal service. These professionals are equipped to quickly mitigate the damage, gather evidence, potentially reverse the encryption, and restore the system.

Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.

You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics experts to trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.

1. Contact your Incident Response provider

A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.

An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.

If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the malware yourself and recover the files with your IT team, then you can follow the next steps.

2. Use a backup to restore the data

The importance of backup for data recovery cannot be overstated, especially in the context of various potential risks and threats to data integrity.

Backups are a critical component of a comprehensive data protection strategy. They provide a means to recover from a variety of threats, ensuring the continuity of operations and preserving valuable information. In the face of ransomware attacks, where malicious software encrypts your data and demands payment for its release, having a backup allows you to restore your information without succumbing to the attacker’s demands.

Make sure to regularly test and update your backup procedures to enhance their effectiveness in safeguarding against potential data loss scenarios. There are several ways to make a backup, so you must choose the right backup medium and have at least one copy of your data stored offsite and offline.

3. Contact a malware recovery service

If you don’t have a backup or need help removing the malware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way to restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.

SalvageData experts can safely restore your files and prevent INC. Ransom from attacking your network again, contact our recovery experts 24/7.

Prevent the INC. Ransom attack

Preventing malware is the best solution for data security. is easier and cheaper than recovering from them. INC. Ransomware can cost your business’s future and even close its doors.

These are a few tips to ensure you can avoid malware attacks:

• Keep your operating system and software up-to-date with the latest security patches and updates. This can help prevent vulnerabilities that can be exploited by attackers.
• Use strong and unique passwords for all accounts and enable two-factor authentication whenever possible. This can help prevent attackers from gaining access to your accounts.
• Be cautious of suspicious emails, links, and attachments. Do not open emails or click on links or attachments from unknown or suspicious sources.
• Use reputable antivirus and anti-malware software and keep it up-to-date. This can help detect and remove malware before it can cause damage.
• Use a firewall to block unauthorized access to your network and systems.
• Network segmentation to divide a larger network into smaller sub-networks with limited interconnectivity between them. It restricts attacker lateral movement and prevents unauthorized users from accessing the organization’s intellectual property and data.
• Limit user privileges to prevent attackers from gaining access to sensitive data and systems.
• Educate employees and staff on how to recognize and avoid phishing emails and other social engineering attacks.