INC Ransomware Decryptor | Comprehensive Guide & Decryption
INC ransomware has emerged as one of the most sophisticated and dangerous ransomware threats since its first appearance in mid-2023. As a relatively new cybercriminal group, INC Ransomware has quickly established itself as a significant player in the digital threat landscape. Operating under the Ransomware-as-a-Service (RaaS) model, INC ransomware operators provide their tools to affiliates who carry out attacks on various industries.
Explore Our Services for a Free Consultation!
INC is particularly notorious for its multi-extortion tactics, which include encrypting files and exfiltrating sensitive data, followed by threats to publish or sell the stolen information unless a ransom is paid. This comprehensive guide will delve into the intricacies of INC ransomware, its operational methods, and the potential solutions available to victims.
INC Ransomware: A Threat Overview
INC Ransomware is known for its targeted attacks on large-scale organizations and corporations. Unlike more opportunistic ransomware operators, INC appears to carefully select its targets, often focusing on organizations with high financial stakes and sensitive data. This makes them a particularly dangerous actor in the cybercrime ecosystem.
Key Characteristics and Tactics
INC Ransomware primarily focuses on organizations in various industries, including healthcare, education, government, professional services, and manufacturing.
The group often engages in double extortion tactics, encrypting victim data and threatening to leak sensitive information publicly unless a ransom is paid. This creates significant pressure for victims, as the potential for data exposure can have severe reputational and financial consequences.
Attackers may disguise the ransomware as a legitimate software update, tricking users into downloading and installing it.
Users can unknowingly download GlobeImposter by visiting compromised websites or clicking on malicious ads (malvertising).
Weak or improperly secured RDP connections allow attackers to gain unauthorized access to computers, from where they can manually deploy the ransomware.
How Does INC Ransomware Spread?
INC ransomware is a highly sophisticated malware that utilizes a variety of tactics to infiltrate systems and networks. Here are the primary methods through which INC spreads:
Highly targeted emails containing malicious attachments or links.
Often disguised as legitimate communications from trusted sources.
Tailored to specific individuals or organizations, increasing the likelihood of success.
Targeting unpatched vulnerabilities in software.
Notable example: CVE-2023-3519 in Citrix NetScaler.
Continuous scanning for newly disclosed vulnerabilities in popular software.
Rapid spread across connected devices within the same network.
Utilizes stolen credentials and security flaws.
Exploits weak network segmentation to move laterally.
Targets exposed or vulnerable RDP ports.
Uses brute force attacks or stolen credentials.
Exploits weak or default passwords for remote access accounts.
Employs legitimate system tools for reconnaissance and lateral movement.
Examples: NETSCAN.EXE for network scanning, MEGAsyncSetup64.EXE for data synchronization.
Compromises trusted third-party software or services.
Infiltrates organizations through compromised updates or plugins.
Key Characteristics of GlobeImposter
Once GlobeImposter successfully infiltrates a system, it spreads rapidly, encrypting files on all accessible drives and network shares.
- Initial Access
- Spear-phishing emails or exploitation of vulnerabilities
- Establishment of a foothold in the target network
- Internal Reconnaissance
- Use of legitimate system tools (LOLBins) for network scanning
- Mapping of the network structure and identifying valuable targets
- Credential Access and Lateral Movement
- Exploitation of Remote Desktop Protocol (RDP)
- Use of tools like Advanced IP Scanner and lsassy.py for credential dumping
- Data Exfiltration and Staging
- Collection and staging of critical data using tools like 7-Zip
- Efficient transfer of large volumes of stolen data using MEGASync
- Payload Deployment and Encryption
- Deployment of ransomware payload using automated scripts or batch files
- Use of tools like PSExec (disguised as winupd) and wmic.exe
- Encryption of files using sophisticated algorithms
- Ransom Demand and Threat of Data Leak
- Placement of ransom notes in encrypted directories
- Threats to publish stolen data on leak sites
Data Encryption and Exfiltration
After compromising a system, INC employs sophisticated encryption techniques to lock critical files, making them inaccessible to the victim. While the exact encryption algorithms used by INC are not specified, they are likely to be strong and difficult to decrypt without the decryption key held by the attackers.
The ransomware uses several unique command-line arguments to control the encryption process:
- –file: Target a specific file for encryption
- –dir: Target a directory for encryption
- –ens: Encrypt network shares
- –lhd: Encrypt hidden boot and recovery volumes, making the device non-bootable
In addition to encrypting files, INC also exfiltrates sensitive data. This stolen data can include:
- Intellectual property
- Customer information
- Financial records
- Employee personal data
- Confidential business plans
The exfiltration of data serves two purposes: it provides additional leverage for ransom demands and allows the attackers to profit from selling the data even if the ransom is not paid.
Ransom Note and Communication
INC ransomware creates ransom notes named “INC-README.TXT” and “INC-README.HTML” in each folder containing encrypted items. These notes provide information about the attack and instructions for contacting the attackers.
Uniquely, INC also attempts to output the HTML-formatted note to any connected and accessible printers or fax machines. This tactic ensures that the ransom demand is widely visible within the compromised organization, potentially creating panic and increasing the likelihood of ransom payment.
INC’s Persistence Mechanisms
INC is engineered for persistence, ensuring that it remains active on infected systems for extended periods. Some of its persistence techniques include:
- Use of Legitimate System Tools (LOLBins)
- Leverages tools like NETSCAN.EXE and MEGAsyncSetup64.EXE
- These tools are often not flagged by conventional antivirus software
- Exploitation of Remote Desktop Protocol (RDP)
- Uses RDP for lateral movement and maintaining access
- Deployment of Automated Scripts
- Uses batch files and PowerShell scripts for payload execution
- Creation of Scheduled Tasks
- Establishes recurring tasks to ensure continuous operation
- Registry Modifications
- Makes changes to the Windows Registry to maintain persistence across reboots
INC’s Defense Evasion Tactics
To maximize its effectiveness, INC includes several features designed to evade detection:
Leverages LOLBins that often go undetected by conventional antivirus software
Uses various arguments for targeted encryption, making detection more difficult
Hinders recovery efforts by removing potential restore points
Employs code obfuscation to evade signature-based detection
Implements checks to detect sandboxed environments or analysis attempts
INC Ransomware’s TOR Site and Leak Announcements
One of the standout features of INC Ransomware is its TOR-based leak site, where the group publishes details about compromised victims who fail to pay the ransom. This site provides a section dedicated to leak announcements, complete with proof of data breaches, such as sample files or screenshots from the victim’s environment.
The public exposure of stolen data, combined with the sensitive nature of the information, increases the pressure on victims to comply with ransom demands. This tactic has proven effective in compelling organizations to pay, even when they have backups of their data.
Geographic Distribution and Targeted Sectors
INC Ransomware’s operations have targeted a variety of industries, with a particular focus on:
- Professional Services
- Healthcare
- Manufacturing and Construction
- Government Agencies
- Education
In terms of geographic distribution, over 57% of their attacks have been directed at organizations in the United States, while other targets are spread across Europe and North America. The U.S. remains a prime target due to the high volume of organizations with valuable, sensitive data and financial resources.
How to Identify INC Ransomware
INC ransomware attacks typically leave behind clear signs that can help you identify the infection:
- Ransom Notes: Presence of “INC-README.TXT” and “INC-README.HTML” files in encrypted folders
- File Extensions: Encrypted files with the .INC extension
- Printed Ransom Notes: Attempted printing of ransom notes to connected printers or fax machines
- System Behavior: Sudden inability to access files or unusual system slowdowns
- Network Activity: Unexpected outbound network connections, potentially indicating data exfiltration
How the INC Decryptor Works
The INC Decryptor employs advanced decryption techniques and a connection to specialized online servers to bypass the encryption mechanisms used by the ransomware. Key features of the decryptor include:
- Server-Based Decryption:
- Requires an internet connection to access servers capable of calculating the decryption keys
- Leverages known weaknesses in INC’s encryption algorithms
- User-Friendly Interface:
- Allows users to easily initiate the decryption process without advanced technical knowledge
- Step-by-step guidance through the decryption process
- Safe and Effective:
- Specifically tailored for INC ransomware, ensuring safe and accurate decryption
- Minimizes the risk of further data corruption during the recovery process
- Availability:
- The decryptor is a paid tool, available for purchase by contacting the support team
- Offers a cost-effective alternative to paying the ransom
- Remote Support:
- Provides access to expert assistance via tools like Anydesk if issues arise during decryption
Steps to Decrypt Your Files Using the INC Decryptor
To decrypt files encrypted by INC, follow these steps:
- Purchase the Decryptor: Contact the team to purchase the INC Decryptor.
- Download and Run the Decryptor: Once purchased, download the software and run it as an administrator on the infected device.
- Ensure Internet Connectivity: The decryptor requires an active internet connection to communicate with its decryption servers.
- Enter Your ID: Input the unique ID provided in the ransom note.
- Start the Decryption: Click “Decrypt Files” to begin the process.
- Monitor Progress: The tool will display the decryption progress. This may take some time depending on the amount of encrypted data.
- Verify Decryption: Once complete, verify that your files are accessible and uncorrupted.
In case of any issues during decryption, remote support via Anydesk or similar tools is available to ensure successful recovery of your files.
Video Guide:
Preventing INC Ransomware Attacks
Preventing an attack from INC or any other ransomware requires a multi-layered approach to security. Here are some essential steps:
- Patch Management:
- Keep all software up-to-date, especially vulnerable applications like Citrix NetScaler
- Implement a robust patch management system to automate updates
- Enhanced Email Security:
- Implement advanced systems to detect and block phishing attempts
- Conduct regular phishing awareness training for employees
- Endpoint Protection:
- Deploy next-generation endpoint protection systems using behavioral analysis and machine learning
- Ensure all devices, including mobile and remote workstations, are protected
- Network Segmentation:
- Isolate critical systems and networks to limit lateral movement
- Implement strict access controls between network segments
- Multi-Factor Authentication (MFA):
- Implement MFA for all user accounts, especially for remote access tools like RDP
- Use strong, unique passwords for all accounts
- Regular Backups and Testing:
- Maintain frequent, secure backups and regularly test their restoration process
- Store backups offline or in air-gapped systems to prevent encryption by ransomware
- Incident Response Planning:
- Develop and continually update an incident response plan
- Conduct regular tabletop exercises to test and improve the plan
- User Education:
- Provide ongoing cybersecurity awareness training to all employees
- Focus on recognizing phishing attempts and practicing safe browsing habits
- Network Monitoring:
- Implement 24/7 network monitoring to detect unusual activities
- Use intrusion detection and prevention systems (IDS/IPS)
- Principle of Least Privilege:
- Limit user permissions to only what is necessary for their roles
- Regularly audit and update access rights
INC ransomware remains one of the most dangerous ransomware threats in 2024, with its sophisticated encryption, network propagation, and evasion techniques. Its targeted approach, double extortion tactics, and use of advanced techniques make it a formidable adversary for organizations across various sectors.
However, with the right prevention measures, including regular updates, strong security practices, and employee education, organizations can significantly mitigate the risks posed by INC and similar ransomware threats. For those unfortunate enough to fall victim to an INC ransomware attack, the INC Decryptor offers a safe and effective solution to recover encrypted files, ensuring that businesses can get back on their feet without resorting to paying the ransom.
As the threat landscape continues to evolve, staying informed about the latest ransomware trends and maintaining a proactive cybersecurity posture is crucial for all organizations. By implementing comprehensive security measures and having a solid incident response plan in place, businesses can better protect themselves against the growing threat of sophisticated ransomware attacks like INC.
Other types of ransomware we’ve worked with include
Stop/DJVU
Lockbit
Akira
SEXi
El Dorado
8Base
Hunters
Dragonforce
Flocker
Monti
Rhysida
BianLian
Cactus
Underground
Darkvault
Cloak
Blackout
Spacebears
abyss
dAn0n
Clop
Blackbyte
APT73
Venus
Trigona
Trinity
Emsisoft
If you suspect a INC Ransomware attack or any data loss or network breach, or are looking to test and enhance your cybersecurity, our expert team is here to help.
Call us at: +447405816578 for immediate assistance
What we offer: