INC Ransomware

Further analysis revealed that Fox Tempest expanded its offerings earlier this year by providing customers with pre-configured virtual machines hosted through Cloudzy infrastructure. Users could upload malware to these systems and receive digitally signed binaries generated through certificates controlled by the group.

The attackers then moved laterally using Remote Desktop Protocol (RDP) and the Windows Management Instrumentation Provider Host to deploy INC ransomware across the victim's network.

the service enabled cybercriminals to disguise malware as trusted software, improving the likelihood that malicious files would bypass security controls and be executed by victims.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Microsoft has announced the disruption of a large-scale malware-signing-as-a-service (MSaaS) operation that exploited its Azure Artifact Signing platform to generate fraudulent code-signing certificates... The group allegedly abused Microsoft's Artifact Signing service to create short-lived digital certificates that allowed malware to appear legitimate to both users and operating systems.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Multiple tools/actors are described using Active Directory/domain group enumeration, e.g., “AdFind can enumerate domain groups”, “net group "domain admins" /domain to enumerate domain groups”, “BloodHound can collect information about domain groups and members”, and “AD Explorer tool to enumerate groups on a victim's network.”

The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.

The attackers then moved laterally using Remote Desktop Protocol (RDP) and the Windows Management Instrumentation Provider Host to deploy INC ransomware across the victim's network.

Examples include 'Aquatic Panda used WMI for lateral movement in victim environments,' 'Deep Panda group is known to utilize WMI for lateral movement,' and 'Cinnamon Tempest has used Impacket for lateral movement via WMI.'

Dollar Tree appeared on the INC Ransomware’s dark web leak site earlier today. The group claims to have breached the company’s security and stolen 1.2TB of sensitive and personal data.

INC Ransomware and Tarnished Scorpius have listed Israeli entities on their leak sites, claiming "political" attacks where the goal is data destruction and reputational damage rather than financial profit.

INC Ransom is especially known for its double-extortion tactics, where they not only encrypt a victim’s data but also exfiltrate it, threatening to publish it online if the ransom isn’t paid.

Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files. LockBit 3.0 can identify and terminate specific services. RansomHub can stop processes associated with files currently in use to maximize the impact of encryption.

Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.

INC Ransom is especially known for its double-extortion tactics, where they not only encrypt a victim’s data but also exfiltrate it, threatening to publish it online if the ransom isn’t paid.