INC Ransom
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| GOLD IONIC | (Citation: Secureworks GOLD IONIC April 2024) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
INC Ransom has scanned for domain admin accounts in compromised environments.(Citation: SOCRadar INC Ransom January 2024) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
INC Ransom has used 7-Zip and WinRAR to archive collected data prior to exfiltration.(Citation: Huntress INC Ransom Group August 2023)(Citation: Secureworks GOLD IONIC April 2024)(Citation: SOCRadar INC Ransom January 2024)(Citation: Huntress INC Ransomware May 2024) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
INC Ransom has used `cmd.exe` to launch malicious payloads.(Citation: Huntress INC Ransom Group August 2023) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
INC Ransom can use SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender.(Citation: Huntress INC Ransomware May 2024) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
INC Ransom has uninstalled tools from compromised endpoints after use.(Citation: Huntress INC Ransomware May 2024) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.(Citation: Huntress INC Ransom Group August 2023)(Citation: SOCRadar INC Ransom January 2024) |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
INC Ransom has acquired and used several tools including MegaSync, AnyDesk, esentutl and PsExec.(Citation: Cybereason INC Ransomware November 2023)(Citation: Huntress INC Ransom Group August 2023)(Citation: SOCRadar INC Ransom January 2024)(Citation: Huntress INC Ransomware May 2024)(Citation: SentinelOne INC Ransomware) |
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
INC Ransom has enumerated domain groups on targeted hosts.(Citation: Huntress INC Ransom Group August 2023) |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
INC Ransom has used RDP to move laterally.(Citation: Cybereason INC Ransomware November 2023)(Citation: Huntress INC Ransom Group August 2023)(Citation: SOCRadar INC Ransom January 2024)(Citation: Huntress INC Ransomware May 2024) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
INC Ransom has run a file encryption executable via `Service Control Manager/7045;winupd,%SystemRoot%\winupd.exe,user mode service,demand start,LocalSystem`.(Citation: Huntress INC Ransom Group August 2023) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0039 | Net | (Citation: Huntress INC Ransomware May 2024) (Citation: Microsoft Net Utility) (Citation: Savill 1999) | Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account |
| S1040 | Rclone | (Citation: DarkSide Ransomware Gang) (Citation: Detecting Rclone) (Citation: DFIR Conti Bazar Nov 2021) (Citation: Huntress INC Ransomware May 2024) (Citation: Rclone Wars) (Citation: Rclone) | Exfiltration to Cloud Storage, File and Directory Discovery, Data Transfer Size Limits, Archive via Utility, Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, Exfiltration Over Unencrypted Non-C2 Protocol |
| S0359 | Nltest | (Citation: Huntress INC Ransom Group August 2023) (Citation: Nltest Manual) | Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery |
| S0404 | esentutl | (Citation: Microsoft Esentutl) (Citation: SentinelOne INC Ransomware) (Citation: SOCRadar INC Ransom January 2024) | Direct Volume Access, Lateral Tool Transfer, NTDS, NTFS File Attributes, Ingress Tool Transfer, Data from Local System |
| S0183 | Tor | (Citation: Dingledine Tor The Second-Generation Onion Router) (Citation: Secureworks GOLD IONIC April 2024) (Citation: SentinelOne INC Ransomware) (Citation: SOCRadar INC Ransom January 2024) | Asymmetric Cryptography, Multi-hop Proxy |
| S1139 | INC Ransomware | (Citation: Cybereason INC Ransomware November 2023) (Citation: Huntress INC Ransom Group August 2023) (Citation: Secureworks GOLD IONIC April 2024) (Citation: SentinelOne INC Ransomware) | Peripheral Device Discovery, Lateral Tool Transfer, Phishing, Native API, Device Driver Discovery, Inhibit System Recovery, Windows Management Instrumentation, System Information Discovery, Network Share Discovery, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, File and Directory Discovery, Process Discovery, Service Stop, Internal Defacement |
| S0552 | AdFind | (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Secureworks GOLD IONIC April 2024) | Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account |
| S0029 | PsExec | (Citation: Cybereason INC Ransomware November 2023) (Citation: Huntress INC Ransom Group August 2023) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Secureworks GOLD IONIC April 2024) (Citation: SOCRadar INC Ransom January 2024) | SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account |
References
- Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
- SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
- SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
- Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
- Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
- Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024.
- Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.