Unlocking Awareness: Safeguard Your Digital Keys Against INC Ransomware Threats

News + Malware + Ransomware + Breach Mjolnir Security todayMay 2, 2024 16

share close

INC Ransomware is a sophisticated cybercriminal group targeting organizations through complex cyberattacks. Here’s an explanation of their typical attack sequence and tactics designed for a non-technical audience in a business context:

  1. Initial Access: INC Ransomware begins its attacks by gaining initial access to an organization’s network. This can be achieved through spear-phishing—sending deceptive emails that trick employees into revealing their credentials or clicking on malicious links. Alternatively, they exploit known vulnerabilities in software that has not been updated or patched.
  2. Reconnaissance: Once inside the network, the group uses various software tools to perform internal reconnaissance. They scan the network to understand its layout and identify critical systems and data. This step is crucial as it helps them to map out their plan for moving laterally within the network.
  3. Lateral Movement: Using the information gathered, they move laterally across the network. This means they access and control other systems within the network to increase their reach and elevate their privileges. During this phase, they might use legitimate administrative tools to avoid detection, making their movements look normal to any security systems in place.
  4. Data Collection and Staging: As they access more systems, they begin to collect sensitive data. They use tools to aggregate this data and prepare it for extraction. This step is akin to gathering all valuable items into one place before a theft.
  5. File Encryption and Ransomware Deployment: With the valuable data collected, INC Ransomware then deploys their ransomware. This software encrypts the data, making it inaccessible to the organization. They typically demand a ransom to provide the decryption key needed to regain access to the encrypted data.
  6. Double Extortion: In addition to encrypting the data, INC Ransomware often threatens to release the stolen data publicly if their ransom demands are not met. This tactic adds an additional layer of pressure on the organization, as it risks not only the loss of data but also potential reputation damage.

The sequence described utilizes various tactics, techniques, and procedures (TTPs) identified in the MITRE ATT&CK framework, which is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. These TTPs include:

  • Spear-Phishing (T1566): The use of targeted emails to trick users into providing access.
  • Exploitation of Public-Facing Applications (T1190): Attacking vulnerable applications that are accessible from the internet.
  • Command and Scripting Interpreter (T1059): Using scripts or commands to automate tasks on a system.
  • Valid Accounts (T1078): Using stolen credentials to gain access to systems.
  • Remote Services (T1021.001): Using remote services like Remote Desktop Protocol to move within a network.
  • Data Staged (T1074): Gathering collected data in preparation for theft.
  • Data Encrypted for Impact (T1486): Encrypting data to disrupt the availability to the victim.

Understanding these steps and TTPs can help organizations prepare better defenses against such sophisticated attacks, emphasizing the importance of robust cybersecurity practices including regular software updates, employee training on phishing, and the use of advanced security monitoring tools.

Written by: Mjolnir Security

Tagged as: , , .

Previous post