Key Takeaways
What is INC Ransomware?
According to Microsoft, Vice Society “receives hand-offs from Gootloader infections by the threat actor Storm-0494” then leverages other tools including Supper backdoor, AnyDesk, and the MEGA data synchronization tool. For lateral movement, the threat actors use RDP. To deploy the INC payload, they use the Windows Management Instrumentation (WMI) Provider Host.
INC ransomware was first observed in summer 2023. It has been used by multiple threat actor groups besides Vice Society. Earlier this year, it was used to target Leicester City Council and NHS services in Scotland, among other victims. INC has been used in both calculated, targeted attacks and broad scope targeting.
As is typical with ransomware, INC encrypts a victim’s data, including data on connected network shares. It uses multithreading and partial encryption to quickly and effectively encrypt data. Files with .msi, .exe, .dll, and .inc extensions are excluded from encryption. INC also deletes Volume Shadow Copies to hinder data recovery efforts.
Post encryption, INC leaves a ransom note on affected systems. In some cases, INC has attempted to print the ransom note through connected printers. It can also change the infected machine’s background to display the ransom note. Threat actors using INC often employ double extortion tactics, demanding a ransom to decrypt data and threatening to sell or leak stolen data if the ransom is not paid.
Who is Vice Society?
Vice Society, also known as Vanilla Tempest and DEV-0832, is a Russian speaking, financially motivated threat actor group. The group has been active since mid 2021. Rather than using proprietary ransomware, the group uses existing ransomware variants. They have been observed using Hello Kitty, Zeppelin, INC, Quantum Locker, Rhysida, and other ransomware families.
The group primarily targets entities in the healthcare, IT, manufacturing, and education verticals. They have also been observed using PowerShell scripts. Industry researchers have noted similarities between Rhysida and Vice Society and have speculated that Rhysida may be a rebrand or offshoot of Vice Society.
IOCs
PolySwarm has multiple samples of INC ransomware.
Ca9d2440850b730ba03b3a4f410760961d15eb87e55ec502908d2546cd6f598c
47873072a0ed065e2f240da3e8b10e7251b9596a82cf0375bfc17f60708b8f74
869d6ae8c0568e40086fd817766a503bfe130c805748e7880704985890aca947
11cfd8e84704194ff9c56780858e9bbb9e82ff1b958149d74c43969d06ea10bd
F655b44603b3caab99d068ff5d7101fb83ffc03ad4e987b2579d55971a82bded
Fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced
6de65a530321969e7a70bf7845383e0a79b7740198297910090b2e882f171a10
You can use the following CLI command to search for all INC samples in our portal:
$ polyswarm link list -f INC
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.