How the fledgling INC ransomware gang struck one victim

Share post:

The new INC ransomware group took no more than a week — and possibly less — to enter and encrypt an organization’s IT systems, according to researchers at Huntress.

Although it was able to see what happened on three infected servers of the unnamed organization, the researchers weren’t able to determine how the attackers got access — and specifically how the gang got employee credentials. But they were able to build an interesting picture for defenders to learn how this particular gang works.

On the first day, the attackers briefly logged into Server 1 with valid credentials. About four and a half hours later, valid account credentials were used to access the same system via Windows Remote Desktop Protocol (RDP). For about 30 minutes, the attackers gathered information about the system.

The second day saw only a brief login to Server 2. The next day, Server 2 was accessed again. But this time numerous 7-Zip archival commands were executed to collect and stage data for exfiltration. The attacker also used native tools such as Wordpad, Notepad, and Microsoft Paint to view the contents of documents and image/JPEG files.

On day four, the threat actor again accessed Server 2 via RDP and continued issuing collection and data staging commands, as it had the day before.

On the fifth day, the threat actor accessed Server 3 via RDP for only six minutes, with little activity observed in endpoint telemetry. Nothing happened on day six.

But on the seventh day, instead of resting, the threat actor struck. They accessed Server 3 via RDP, installed a free network scanner called Advanced IP Scanner and a free SSH and telnet client called PuTTY that can be used for file transfers. Approximately three hours after the initial logon to Server 3, the threat actor ran credential access commands on all three servers, all of which were indicative of the use of, a Python tool to remotely extract credentials on a set of hosts.

Approximately four hours after the initial logon to Server 3, the threat actor issued a number of copy commands in rapid succession, perhaps running a batch file or script, to push the file encryption executable to multiple endpoints within the IT infrastructure. These copy commands were followed in rapid succession by a similar series of commands through Windows’ wmic.exe and PSExec utilities (this last one was renamed) to launch the file encryption executable on each of those endpoints.

What can be learned from this? “There is often considerable activity that leads to deployment of the file encryption executable, such as initial access, credential access and privilege escalation, and enumeration and mapping of the infrastructure,” the researchers note. “Where data theft (staging and exfiltration) occurs, this can very often be seen well prior to the deployment of the file encryption executable.”

Click here to read the full report.

The post How the fledgling INC ransomware gang struck one victim first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways