Primer on Inc. Ransom Group
The Inc. Ransom group first emerged back in July 2023. By September of the same year, they had publicly announced the successful infiltration of as many as 12 victims, a figure that has now risen dramatically.
Inc. Ransom has a TOR-based blog where it periodically releases information related to its successful cyber incidents. Past blogs have touched on which victims were impacted by its ransomware and summaries of the volumes of data it managed to exfiltrate from each business.
Methods of Attack
Here is an example of the typical pathway Inc. Ransom follows to breach enterprise systems:
- Initial Access: Inc. Ransom targets vulnerabilities in business services, like the CVE-2023-3519 in Citrix NetScaler, or a series of spear-phishing campaigns to compromise user credentials.
- System Scan: Once threat actors have access to a company’s systems, they use the compromised account to perform several forms of system scanning. They will search for other vulnerabilities in the ecosystem, scanning networks, domains, and other connected network devices.
- Data Inspection: Using compromised accounts, the group will inspect documents, images, and the contents of folders to ensure there is valuable data in the system.
- Further Extraction: Using lsassy.y and other native tools, Inc. Ransom then extracts other available login credentials and accesses multiple company systems, networks, and accounts.
- Ransomware Deployment: Once the group has access to numerous devices and systems in a business, they then deploy payloads that install ransomware onto these endpoints. The ransomware will encrypt documents and bar company access, with Inc. Ransom leveraging automation to rapidly take over enterprise-scale data systems.
The Inc. Ransom group’s payloads support various command-line arguments and use a multi-threading approach to encrypt user data.
The Typical Targets of the Inc. Ransom Group
Ransomware threats tend to focus on two main groups:
- Small and medium businesses
- Enterprise organizations
With the former group, the total value of data exfiltrated is likely less, but they will also have fewer defenses.
On the contrary, enterprise companies typically have extensive cybersecurity defense solutions but have much more valuable data. Of these two groups, Inc. Ransom mainly focuses on the latter. They tend to target larger, multinational companies in high-value data industries, including sectors like:
The majority of Inc. Ransom’s attacks focus on enterprises in North America, Europe, and, to a lesser extent, Australia. The leading industries in terms of the number of victims are professional services, manufacturing, construction, and healthcare.
Strategies for Prevention and Mitigation for Inc. Ransom Group
Here are some of the best practices for preventing and mitigating the ransomware threat from Inc. Ransom and other ransomware threats.
- Identify Attack Signatures: Monitor your networks and systems and look for potential indicators of compromise. If you notice any threat signatures, suspicious activities, or strange file interactions, aim to isolate those areas as quickly as possible.
- Penetration Test Your Systems: Regular red teaming and penetration testing will help ensure that your business identifies vulnerabilities in your system as early as possible. If you’re able to identify and neutralize vulnerabilities before groups like Inc. Ransom find them, you can keep your business safe.
- Offer Staff Training: Inc. Ransom leverages spear-phishing to steal user credentials from executives and other employees. By offering compulsory phishing and ransomware prevention training, you help limit the possibility of ransomware entering your system through compromised accounts.
- Employ Anti-Ransomware Software: Due to the typical threat markers that ransomware attacks can leave behind, there are numerous effective anti-ransomware tools that you could employ to keep you safe. Deploying ransomware protection solutions will help to keep your endpoints as secure as possible, contributing to the online security of your overall system.
- Develop a Threat Response Plan: Even if you utilize every best practice in the book and employ the world’s leading cybersecurity solution, there is always a chance that ransomware will enter your system. Planning for this eventuality, no matter how unlikely it may be, by developing a plan for how you will remove ransomware from your system and protect sensitive files will allow you to expedite mobilizing a cyber defense strategy if an attack occurs.
- Create Regular Backups: Your business should regularly create backups of your system’s data. If possible, create several different copies and store them on isolated networks. For example, you could store one version on local storage, one in the cloud, and a third with a secure third party. Backups ensure that you can restore business data and continue working when a ransomware threat is active in your business.
Ransomware Protection with Check Point
The Inc. Ransom group is a serious threat to modern enterprises, especially those that have not laid strong cybersecurity foundations and invested in employee security training. Once the group gains access to your systems, it becomes much more difficult to mount an effective defense.
Preemptive layer of security and proactive cyber solutions across your entire attack surface will help to reduce the possibility of entry from Inc. Ransom and other ransomware threats. Check Point Anti-Ransomware solution offers a sophisticated, enterprise-wide ransomware coverage. As a part of Harmony Endpoint, Check Point offers complete endpoint protection, using automation and leading cybersecurity strategies to keep your business safe.
Learn more about how Check Point can protect your business from ransomware by booking a free demo.
Feedback