← All stories

Huntress

Investigating New INC Ransom Group Activity | Huntress

2023-08-11 · Read original ↗

ATT&CK techniques detected

20 predictions

T1486Data Encrypted for Impact

99%

“was renamed to winupd when launched on the remote node. this resulted in a system event log record on each endpoint where the command successfully launched the windows service that appeared as follows : service control manager / 7045 ; winupd, % systemroot % \ winupd. exe, user m…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

99%

“# cyberattack … pic. twitter. com / 4fpipyztid the huntress team recently investigated a ransomware attack indicative of the ‘ inc ’ threat actor. while the file encryption process brought the attack to the attention of the impacted organization immediately, an investigation into…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

97%

“investigating new inc ransom group activity | huntress the huntress team is always keeping our eye on the evolving threat landscape. now, it seems that a new contender, referred to as “ inc ” has entered the ransomware fight. this new ransomware group began gaining notoriety very…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

96%

“data theft ( staging and exfiltration ) occurs, this can very often be seen well prior to the deployment of the file encryption executable. while the huntress team was unable to discern the threat actor ’ s means of initial access, the investigation clearly demonstrated considera…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1021.001Remote Desktop Protocol

93%

“edr telemetry. day 6 no activity was observed. day 7 - file encryption the seventh day began with the threat actor accessing server 3 via rdp, installing the advanced ip scanner, and shortly thereafter, moving laterally to server 2 via rdp. during the logon session to server 3, t…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1585.002Email Accounts

92%

“investigating new inc ransom group activity | huntress the huntress team is always keeping our eye on the evolving threat landscape. now, it seems that a new contender, referred to as “ inc ” has entered the ransomware fight. this new ransomware group began gaining notoriety very…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1567Exfiltration Over Web Service

91%

“##filtration - exfiltration over web service / t1567. 002 - impact - data encrypted for impact / t186 special thanks to josh allman ( @ xorjosh ), matt anderson ( @ nosecurething ), harlan carvey ( @ keydet89 ), and anthony smith ( @ kingcrtz ) for their contributions to this blo…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1021.001Remote Desktop Protocol

90%

“system names ( ylqlcxo9vdriz5jk, ajlxc9tzxginkqf4, and uxuznzxxmebn2jox ). all three connections originated from the same ip address and accessed the target system using the same account name. approximately four and a half hours later, valid account ( compromised ) credentials we…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1003OS Credential Dumping

85%

“##e, nltest. exe, wordpad / notepad / mspaint, internet explorer, windows explorer, mstsc. exe, msdt. exe ) - use of additional tools ( 7 - zip, megasync, advanced ip scanner, putty, lsassy. py, psexec ) mitre att & ck - initial access - valid accounts / t1078. 002 - execution - …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1021.002SMB/Windows Admin Shares

69%

“copy commands were followed in rapid succession by a similar series of wmic. exe commands to launch the file encryption executable on each of those endpoints. all of these commands were of the same format, illustrated by the following : wmic / node : " < node > " / user : " < use…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1482Domain Trust Discovery

66%

“##e, nltest. exe, wordpad / notepad / mspaint, internet explorer, windows explorer, mstsc. exe, msdt. exe ) - use of additional tools ( 7 - zip, megasync, advanced ip scanner, putty, lsassy. py, psexec ) mitre att & ck - initial access - valid accounts / t1078. 002 - execution - …”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1080Taint Shared Content

63%

“# cyberattack … pic. twitter. com / 4fpipyztid the huntress team recently investigated a ransomware attack indicative of the ‘ inc ’ threat actor. while the file encryption process brought the attack to the attention of the impacted organization immediately, an investigation into…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1078Valid Accounts

61%

“system names ( ylqlcxo9vdriz5jk, ajlxc9tzxginkqf4, and uxuznzxxmebn2jox ). all three connections originated from the same ip address and accessed the target system using the same account name. approximately four and a half hours later, valid account ( compromised ) credentials we…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1048Exfiltration Over Alternative Protocol

48%

“mx3 - xr! *. exe - xr! *. mp4 - xr! *. wmv - xr! *. mov - xr! *. avi - xr! *. mxf - xr! *. mts - xr! *. vhd < archive name > < source folder > during this time, the huntress team also observed the threat actor ’ s use of native tools such as wordpad. exe, notepad. exe, and mspain…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1560.001Archive via Utility

47%

“mx3 - xr! *. exe - xr! *. mp4 - xr! *. wmv - xr! *. mov - xr! *. avi - xr! *. mxf - xr! *. mts - xr! *. vhd < archive name > < source folder > during this time, the huntress team also observed the threat actor ’ s use of native tools such as wordpad. exe, notepad. exe, and mspain…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1003OS Credential Dumping

36%

“system names ( ylqlcxo9vdriz5jk, ajlxc9tzxginkqf4, and uxuznzxxmebn2jox ). all three connections originated from the same ip address and accessed the target system using the same account name. approximately four and a half hours later, valid account ( compromised ) credentials we…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1564.006Run Virtual Instance

33%

“# cyberattack … pic. twitter. com / 4fpipyztid the huntress team recently investigated a ransomware attack indicative of the ‘ inc ’ threat actor. while the file encryption process brought the attack to the attention of the impacted organization immediately, an investigation into…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

33%

“mx3 - xr! *. exe - xr! *. mp4 - xr! *. wmv - xr! *. mov - xr! *. avi - xr! *. mxf - xr! *. mts - xr! *. vhd < archive name > < source folder > during this time, the huntress team also observed the threat actor ’ s use of native tools such as wordpad. exe, notepad. exe, and mspain…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1679Selective Exclusion

32%

“was renamed to winupd when launched on the remote node. this resulted in a system event log record on each endpoint where the command successfully launched the windows service that appeared as follows : service control manager / 7045 ; winupd, % systemroot % \ winupd. exe, user m…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1486Data Encrypted for Impact

30%

“edr telemetry. day 6 no activity was observed. day 7 - file encryption the seventh day began with the threat actor accessing server 3 via rdp, installing the advanced ip scanner, and shortly thereafter, moving laterally to server 2 via rdp. during the logon session to server 3, t…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

The Huntress team investigated a ransomware attack of a new INC Ransom threat actor group. Here is the activity we observed.