Threat Actor Profile: INC Ransomware

INC Ransomware is an opportunistic cybercriminal group active since mid-2023. Known for its rapid proliferation and impact across various industries, INC Ransomware has demonstrated a potent combination of sophisticated attack vectors and relentless pursuit of high-value targets.

Tactics, Techniques, and Procedures (TTPs): INC Ransomware employs a mix of advanced TTPs that align with several MITRE ATT&CK frameworks:

Notable Breaches:

  • NHS Dumfries and Galloway: Three terabytes of sensitive data were stolen.(Read More)
  • Xerox Business Solutions: Sensitive corporate data compromised.
  • Yamaha Motor Philippines: Employee and operational data leaked.
  • Other Targets: Including WellLife Network, Decatur Independent School District, Guardian Alarm, EFU Life Assurance, and Global Export Marketing, reflecting the group’s indiscriminate targeting strategy​ (SecurityWeek)​​ (BleepingComputer)​.

INC Ransomware does not exhibit a specific geographical focus, targeting organizations worldwide that possess valuable data and are perceived as likely to pay ransoms. Industries targeted include healthcare, technology, education, and government entities, underscoring the group’s opportunistic approach.

Security Recommendations: Organizations are advised to:

  • Patch and update systems regularly, especially known vulnerabilities like CVE-2023-3519.
  • Implement robust email filtering and anti-phishing training to mitigate the risk of spear-phishing.
  • Employ multi-factor authentication and least privilege policies to reduce the impact of credential compromise.
  • Regularly back up data and ensure backups are stored securely offline.