INC Ransom
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| GOLD IONIC | (Citation: Secureworks GOLD IONIC April 2024) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
INC Ransom has scanned for domain admin accounts in compromised environments.(Citation: SOCRadar INC Ransom January 2024) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
INC Ransom has used 7-Zip and WinRAR to archive collected data prior to exfiltration.(Citation: Huntress INC Ransom Group August 2023)(Citation: Secureworks GOLD IONIC April 2024)(Citation: SOCRadar INC Ransom January 2024)(Citation: Huntress INC Ransomware May 2024) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
INC Ransom has used `cmd.exe` to launch malicious payloads.(Citation: Huntress INC Ransom Group August 2023) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
INC Ransom can use SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender.(Citation: Huntress INC Ransomware May 2024) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
INC Ransom has uninstalled tools from compromised endpoints after use.(Citation: Huntress INC Ransomware May 2024) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.(Citation: Huntress INC Ransom Group August 2023)(Citation: SOCRadar INC Ransom January 2024) |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
INC Ransom has acquired and used several tools including MegaSync, AnyDesk, esentutl and PsExec.(Citation: Cybereason INC Ransomware November 2023)(Citation: Huntress INC Ransom Group August 2023)(Citation: SOCRadar INC Ransom January 2024)(Citation: Huntress INC Ransomware May 2024)(Citation: SentinelOne INC Ransomware) |
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
INC Ransom has enumerated domain groups on targeted hosts.(Citation: Huntress INC Ransom Group August 2023) |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
INC Ransom has used RDP to move laterally.(Citation: Cybereason INC Ransomware November 2023)(Citation: Huntress INC Ransom Group August 2023)(Citation: SOCRadar INC Ransom January 2024)(Citation: Huntress INC Ransomware May 2024) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
INC Ransom has run a file encryption executable via `Service Control Manager/7045;winupd,%SystemRoot%\winupd.exe,user mode service,demand start,LocalSystem`.(Citation: Huntress INC Ransom Group August 2023) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0039 | Net | (Citation: Huntress INC Ransomware May 2024) (Citation: Microsoft Net Utility) (Citation: Savill 1999) | Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery |
| S1040 | Rclone | (Citation: DFIR Conti Bazar Nov 2021) (Citation: DarkSide Ransomware Gang) (Citation: Detecting Rclone) (Citation: Huntress INC Ransomware May 2024) (Citation: Rclone Wars) (Citation: Rclone) | Archive via Utility, File and Directory Discovery, Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration to Cloud Storage, Data Transfer Size Limits, Exfiltration Over Unencrypted Non-C2 Protocol |
| S0359 | Nltest | (Citation: Huntress INC Ransom Group August 2023) (Citation: Nltest Manual) | System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery |
| S0404 | esentutl | (Citation: Microsoft Esentutl) (Citation: SOCRadar INC Ransom January 2024) (Citation: SentinelOne INC Ransomware) | Direct Volume Access, Data from Local System, Lateral Tool Transfer, Ingress Tool Transfer, NTDS, NTFS File Attributes |
| S0183 | Tor | (Citation: Dingledine Tor The Second-Generation Onion Router) (Citation: SOCRadar INC Ransom January 2024) (Citation: Secureworks GOLD IONIC April 2024) (Citation: SentinelOne INC Ransomware) | Multi-hop Proxy, Asymmetric Cryptography |
| S1139 | INC Ransomware | (Citation: Cybereason INC Ransomware November 2023) (Citation: Huntress INC Ransom Group August 2023) (Citation: Secureworks GOLD IONIC April 2024) (Citation: SentinelOne INC Ransomware) | Windows Management Instrumentation, Service Stop, Device Driver Discovery, Network Share Discovery, Peripheral Device Discovery, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, File and Directory Discovery, Internal Defacement, Process Discovery, Phishing, Data Encrypted for Impact, Lateral Tool Transfer, Inhibit System Recovery |
| S0552 | AdFind | (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Secureworks GOLD IONIC April 2024) | Domain Account, Domain Groups, System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery |
| S0029 | PsExec | (Citation: Cybereason INC Ransomware November 2023) (Citation: Huntress INC Ransom Group August 2023) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: SOCRadar INC Ransom January 2024) (Citation: Secureworks GOLD IONIC April 2024) | Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution |
References
- Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
- Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024.
- Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
- Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
- SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
- Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
- SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.