Verticals Targeted: Government, Healthcare
Executive Summary
INC is a relatively new ransomware group that has been active since summer 2023. The group recently claimed responsibility for attacks on Leicester City Council and NHS services in Scotland.
Key Takeaways
- INC ransomware group has been active since summer 2023.
- INC recently claimed responsibility for attacks on Leicester City Council and NHS services in Scotland.
- While INC is a relatively new ransomware group, they are quickly gaining notoriety due to their sophisticated TTPs, elusive nature, and high-profile targets.
What is INC?
INC is a relatively new ransomware group that has been active since summer 2023. According to The Register, INC recently claimed responsibility for attacks on Leicester City Council and NHS services in Scotland.
Leicester City Council suffered a cyber incident in March, leading to a widespread system shutdown that lasted weeks instead of days. This affected online services for waste and recycling, schooling, birth registration, social housing, planning, parking, and library internet. On April 1, INC Ransom’s leak blog listed Leicester City Council as a victim, claiming the group had stolen 3 TB of data. INC promptly removed the post. The Register noted that the process of posting a victim to a leak site and quickly removing the post is known as “flashing” and is meant to get a response out of leadership teams that have gone silent during ransom negotiations.
INC also claimed responsibility for an attack on NHS Dumfries and Galloway, a regional NHS branch in Scotland. The threat actors reportedly stole 3 TB of data in this attack as well. A sample of the stolen data was dumped and included medical test results, along with patients’ names and addresses.
INC’s other recent victims reportedly include West Idaho Orthopedics, Norman Urology Associates, Xenwerx Initiatives LLC, Blueline Associates, Sisu Healthcare, Graypen LTD, Lodan Electronics, PSEC Church, Tech-Quip Inc, Florida Memorial University, and Otolaryngology Associates.
While INC is a relatively new ransomware group, they are quickly gaining notoriety due to their sophisticated TTPs, elusive nature, and high profile targets. INC appears to choose its targets carefully, rather than targeting opportunistically. INC’s targets have included entities in the US, UK, and Australia. Targeted verticals include government, healthcare, professional services, manufacturing, construction, and others.
INC’s TTPs include spearphishing, exploitation of known vulnerabilities such as CVE-2023-3519, use of commercial off the shelf software, and the use of LOLbins. The group is known to use the double extortion model, demanding ransom for unlocking files and for not leaking stolen information. The threat actors publish a small amount of stolen data as proof of theft, in an attempt to drive the extortion process.
IOCs
PolySwarm has multiple samples of INC.
fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced
ca9d2440850b730ba03b3a4f410760961d15eb87e55ec502908d2546cd6f598c
47873072a0ed065e2f240da3e8b10e7251b9596a82cf0375bfc17f60708b8f74
869d6ae8c0568e40086fd817766a503bfe130c805748e7880704985890aca947
11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd
f655b44603b3caab99d068ff5d7101fb83ffc03ad4e987b2579d55971a82bded
You can use the following CLI command to search for all INC samples in our portal:
$ polyswarm link list -f INC
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.