← All stories

Huntress

LOLBin to INC Ransomware

2024-05-01 · Read original ↗

ATT&CK techniques detected

12 predictions

T1486Data Encrypted for Impact

99%

“lolbin to inc ransomware this blog post was originally published on may 1, 2024. background huntress analysts have previously observed inc ransomware being deployed, and recently observed this specific ransomware variant being deployed in a customer environment. the ransomware va…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

98%

“actor installed 7zip and megasync, then ran a total of 28 7zg. exe processes to archive data. not long after the last 7zg. exe process was run, both megasync and 7zip were uninstalled from the endpoint. huntress has previously observed the use of megasync. exe during incidents wh…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

96%

“for a rogue screenconnect installation, and a detailed investigation indicated that the infrastructure employed an entirely different rmm tool. after accessing the endpoint via the newly installed screenconnect instance, the threat actor changed the password on an existing accoun…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

81%

“: domain accounts, t1543. 003 : windows service privilege escalation - not observed defense evasion - t1562. 001 : disable or modify tools credential access - not observed discovery - not observed lateral movement - not observed collection - t1560. 001 : archive via utility ( rcl…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078Valid Accounts

76%

“activities varied slightly between the identified endpoints, this one pattern remained consistent and served to quickly surface impacted endpoints. attack pattern looking across multiple endpoints, huntress analysts observed a common, overarching pattern ; that is, at the point w…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1080Taint Shared Content

72%

“lolbin to inc ransomware this blog post was originally published on may 1, 2024. background huntress analysts have previously observed inc ransomware being deployed, and recently observed this specific ransomware variant being deployed in a customer environment. the ransomware va…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

65%

“with the accounts found to be used by the threat actor, it ' s clear that as the threat actor is approaching the point of heightened activity and likely getting ready to deploy file encryption software, their actions become more directed and efficient, as illustrated in figures 4…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1219Remote Access Tools

61%

“with the accounts found to be used by the threat actor, it ' s clear that as the threat actor is approaching the point of heightened activity and likely getting ready to deploy file encryption software, their actions become more directed and efficient, as illustrated in figures 4…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1080Taint Shared Content

58%

“actor installed 7zip and megasync, then ran a total of 28 7zg. exe processes to archive data. not long after the last 7zg. exe process was run, both megasync and 7zip were uninstalled from the endpoint. huntress has previously observed the use of megasync. exe during incidents wh…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1560.001Archive via Utility

53%

“actor installed 7zip and megasync, then ran a total of 28 7zg. exe processes to archive data. not long after the last 7zg. exe process was run, both megasync and 7zip were uninstalled from the endpoint. huntress has previously observed the use of megasync. exe during incidents wh…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

33%

“however, this activity has only been noted on endpoints where cylanceprotect is running. huntress has previously observed the use of a file by the same name to disable sophos anti - virus applications. also seen within the same timeframe was the usage of an executable named kaz. …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1021.001Remote Desktop Protocol

32%

“for a rogue screenconnect installation, and a detailed investigation indicated that the infrastructure employed an entirely different rmm tool. after accessing the endpoint via the newly installed screenconnect instance, the threat actor changed the password on an existing accoun…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Huntress has observed INC ransomware deployed in the past but recent activity indicates a possible continued shift in/or improvement of tactics employed by these threat actors.