The new INC ransomware group took no more than a week — and possibly less — to enter and encrypt an organization’s IT systems, according to researchers at Huntress.
Although it was able to see what happened on three infected servers of the unnamed organization, the researchers weren’t able to determine how the attackers got access — and specifically how the gang got employee credentials. But they were able to build an interesting picture for defenders to learn how this particular gang works.
On the first day, the attackers briefly logged into Server 1 with valid credentials. About four and a half hours later, valid account credentials were used to access the same system via Windows Remote Desktop Protocol (RDP). For about 30 minutes, the attackers gathered information about the system.
The second day saw only a brief login to Server 2. The next day, Server 2 was accessed again. But this time numerous 7-Zip archival commands were executed to collect and stage data for exfiltration. The attacker also used native tools such as Wordpad, Notepad, and Microsoft Paint to view the contents of documents and image/JPEG files.
On day four, the threat actor again accessed Server 2 via RDP and continued issuing collection and data staging commands, as it had the day before.
On the fifth day, the threat actor accessed Server 3 via RDP for only six minutes, with little activity observed in endpoint telemetry. Nothing happened on day six.
But on the seventh day, instead of resting, the threat actor struck. They accessed Server 3 via RDP, installed a free network scanner called Advanced IP Scanner and a free SSH and telnet client called PuTTY that can be used for file transfers. Approximately three hours after the initial logon to Server 3, the threat actor ran credential access commands on all three servers, all of which were indicative of the use of lsassy.py, a Python tool to remotely extract credentials on a set of hosts.
Approximately four hours after the initial logon to Server 3, the threat actor issued a number of copy commands in rapid succession, perhaps running a batch file or script, to push the file encryption executable to multiple endpoints within the IT infrastructure. These copy commands were followed in rapid succession by a similar series of commands through Windows’ wmic.exe and PSExec utilities (this last one was renamed) to launch the file encryption executable on each of those endpoints.
What can be learned from this? “There is often considerable activity that leads to deployment of the file encryption executable, such as initial access, credential access and privilege escalation, and enumeration and mapping of the infrastructure,” the researchers note. “Where data theft (staging and exfiltration) occurs, this can very often be seen well prior to the deployment of the file encryption executable.”
