Key Points

  • In August of 2024, a ReliaQuest customer was the target for an extortion campaign by ransomware group “Inc Ransom.” This attack used different extortion methodologies, which were analyzed in a previous blog
  • Inc Ransom has practiced double-extortion ransomware attacks since 2023; in this attack, encryption did not occur and initial access was likely gained through an exploited vulnerability in the customer’s firewall.
  • An investigation by ReliaQuest revealed that Inc Ransom used common tools like Impacket and Rclone for various functions, including credential access, lateral movement through pass-the-hash attacks, and malicious command-and-control (C2) communications.
  • If compromised, strict management of service accounts, strong application controls, and remote data storage can reduce mean time to contain (MTTC) and halt the ongoing attack.

In August 2024, a ReliaQuest customer in the healthcare industry was the subject of an extortion campaign conducted by the ransomware group “Inc Ransom.” The group typically conducts double-extortion operations, but, similar to a previous Inc Ransom attack covered by ReliaQuest, this latest incident did not involve encryption. It did, however, use exfiltration through Rclone—a tool often used by ransomware operators for exfiltration—and defense evasion strategies such as erasing security logs.

This report details the various stages of the intrusion lifecycle, from exploiting a firewall to achieve initial access to the use of Windows log manager wevtutil and PowerShell for defense evasion.

We also examine the legitimate tools and complex tactics used by Inc Ransom and offer practical prevention and mitigation strategies to assist organizations in bolstering their defenses and reducing the impact of similar ransomware attacks.

Our previous Inc Ransom report covers an attack that had the same goal: data exfiltration and brand extortion. However, this report highlights the different methods used in the latest attack to achieve the same goal. Different organizations use different defensive technologies and logging strategies; as such, each report offers unique insights to the observed tactics and helps paint a fuller picture of the various methods Inc Ransom may use to conduct an attack.

Inc Ransom Overview

First identified in July 2023, Inc Ransom is a highly active double-extortion ransomware group who, since their emergence, have successfully extorted an average of 11 organizations per month. The threat group has completed ransomware attacks on large organizations, like Xerox and National Health Service (NHS) Scotland, which typically have mature cybersecurity programs. The group targets a wide range of sectors (including healthcare, government, and education) with attacks affecting entities in the US, Canada, and Europe. In previous campaigns, Inc Ransom has used common, simple attack techniques like spearphishing or exploited more complex vectors—including CVE-2023-3519 in Citrix NetScaler to gain initial access—to target vulnerabilities in an organization’s environment. Additionally, the group uses tools like netscan.exe and MEGAsyncSetup64.exe to discover other hosts and resources for lateral movement or encryption, showcasing their ability to evolve and deploy different tactics and tools across different attacks.

Inc Ransom has displayed mature encryption strategies that include deleting backup files through the Windows service Volume Shadow Copy to impede recovery efforts after ransomware has been deployed. The group applies substantial extortion pressure to companies during an attack, even printing ransom notes from compromised printers on the victim’s network. By applying such pressure, companies often feel compelled to respond and pay the ransom to avoid damage to their operations and brand. Moreover, Inc Ransom claims it will disclose its attack techniques to the affected entity once the ransom has been paid and purports that it is, in fact, helping the company by allowing them to improve their security posture. This tactic is likely to incentivize companies to pay the ransom, as many don’t pay for fear they will just be attacked again. Like other double-extortion groups, Inc Ransom also threatens to leak the compromised entity’s data online if their demands are not met, which would result in brand or operational damage.

Attack Lifecycle

In this intrusion, the attacker likely gained initial access by targeting a vulnerability in the customer’s firewall and progressed to using the net.exe process to discover host information, such as the versions of the operating system (OS) and identify security tools. The attacker used the Impacket module wmiexec.py for lateral movement to other internal hosts and ran secretsdump.py to access credentials of additional service accounts on the network. These compromised credentials included the credentials of a service account responsible for managing SQL backups, which was then used to steal sensitive data by creating a backup of the internal SQL server.

Throughout this attack, we observed the threat actor predominantly using open-source and commonly used commercial tools, including net.exe, wevtutil, and PowerShell, all of which have legitimate functions within corporate networks, such as network troubleshooting and log management. Choosing legitimate tools increases detection difficulty, because an attacker can mimic these legitimate functions to hide within the noise of an organization’s network. This ultimately increases mean time to detect (MTTD) and mean time to contain (MTTC) and allows the attacker to progress further in the attack lifecycle. As mentioned above, the adversary also downloaded RClone and other tools from the adversary’s C2 server. RClone is an open-source tool commonly used for data exfiltration, favored for its proficiency in managing extensive data transfers and its ability to target numerous cloud storage solutions.

Initial Access

Due to limited logging visibility, we do not know the threat actor’s exact initial access method. However, access was likely gained through an exploited firewall, where the attacker was then able to compromise a service account belonging to the firewall. Inc Ransom also worked to compromise legitimate service accounts that were used to manage backups and other common resources like the SQL database, extending the group’s attack surface into additional services, and thus increasing the threat group’s likelihood of successfully gaining access into the organization’s network.

Service accounts are often targeted by adversaries due to their broad access to multiple systems within a network, elevated administrator-level privileges, and monitoring difficulty or lack thereof. Attackers use these accounts to execute malicious commands while hiding their actions; therefore, it is important to be aware of the scope of service accounts and the danger of their access becoming too broad. Generally, service accounts serve a function and are not accessed by users. Functions might include facilitating printing jobs or asset inventory and management. As more functions are assigned to an account, its scope can become dangerously broad, allowing attackers to perform a large array of tasks and gain extensive network access. This also makes it difficult to baseline each account or understand what normal activity for each account is. Without a baseline, it is difficult to notice deviations from expected behavior, which limits, or even prevents, monitoring capabilities, allowing the attack to progress further into the network.

Mitigation: Privileged Account Management

To protect service accounts, we recommend strict management of privileged accounts, including controlling the creation, modification, use, and permissions of these accounts. By ensuring these accounts have a limited number of functions, access only necessary resources, and have rights to perform only necessary tasks, attackers are prevented from exploiting service accounts throughout the entire attack lifecycle and are forced to travel through additional defense measures that surround other accounts and resources. If a large scope is needed, additional service accounts should be created to perform any additional functions. By doing this, each account’s normal activity can be baselined, avoiding one account having hundreds of functions where an attacker’s actions can easily get lost. As a result, this will lead to faster detection and containment, minimize an attacker’s impact and, in turn, reduce an organization’s financial loss and reputational damage.

Discovery

After gaining access, Inc Ransom enumerated the contents of the compromised host and network shares. The group used the dir command to list all file names in the C:\ directory and then directed their search toward C:\Program Files. Subsequently, they specifically targeted the Microsoft SQL software within that path. The group also listed the host’s network shares using net.exe and located a network-mapped SQL server, which they also examined for files. Data was collected from the SQL server during the attack, indicating that the group was targeting the SQL server or a similar data-hosting server. These servers contain sensitive data that can be exploited for extortion. All of the discovery commands were executed by the previously mentioned compromised service account used for backups, which aided the attacker group in masquerading the malicious commands as normal backup operations of the account. In this attack, the threat group leveraged the native Windows utility net.exe to map the network, whereas in the previously reported attack, they used a third-party tool, highlighting the group’s versatility.

Mitigation: Operating System Configuration

To prevent attackers from carrying out network share enumeration, organizations should enable the Windows Group Policy setting “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares.” The privilege of listing network shares should only be given to specific accounts that require the ability to do so, such as help desk personnel or network engineers. This will prevent attackers from discovering critical hosts that contain sensitive access or data, and therefore reduce the amount of confidential information acquired by the attacker.

Lateral Movement

Inc Ransom used Impacket to move laterally in the compromised entity’s network. Impacket is a multi-function software suite that allows an attacker to exploit legitimate Windows services and protocols. In this incident, the Impacket module wmiexec.py was used to access other hosts on the network. This module uses the built-in Windows feature Windows Management Instrumentation (WMI), which allows a user to run commands directly on remote machines without additional software. Employing this module enhances the stealthiness of the intrusion: attackers achieve remote code execution (RCE) without leaving common logs or traces that would trigger normal alerts, and, as a result, give investigators visibility into the malicious activity. Therefore, security teams must have additional detection strategies to detect the attack.  Inc Ransom also used the pass-the-hash (PtH) features of Impacket to move laterally within the network with a captured password hash for a legitimate account. This hash allows access to the account without knowing or cracking its password. A similar PtH method was leveraged in Inc Ransom’s previous attack, likely conducted using the same Impacket module, suggesting this could be a common attack vector for the threat group.

Mitigation: Privileged Account Management

The reach of a single account across systems should be limited to prevent damage when that account is compromised and to reduce an attacker’s ability to move laterally in the network and compromise additional hosts. By restricting the scope and its access to a limited number of systems, the attacker is forced to compromise more accounts to move to other hosts, also forcing them to progress through more security controls.

Credential Access and Collection

Inc Ransom used SecretsDump.py—another Impacket module—to target the Windows tool Security Accounts Manager (SAM), which is a database file used to store usernames and passwords. To accomplish this, SecretsDump.py dumped the registry hive— a Windows database that stores low-level software settings for the Windows operating system and other software—to export the SAM database. By specifically targeting service accounts and local administrators for their broad access and elevated privileges, exporting the SAM database allowed the attackers to access sensitive user data and other account information. Inc Ransom then used the compromised credentials to access an SQL archive, create a backup copy of it, and collect its data, which would later be exfiltrated. Impacket is a widely used tool by threat actors and continues to be consistently seen in attacks due to its versatile uses and extensive configuration options.

Mitigation: Privileged Account Management

ReliaQuest recommends that security teams do not put user or administrator domain accounts in local administrator groups across systems unless they are tightly controlled. Doing so could be likened to a local administrator account having the same password on all systems, which would allow an attacker unrestricted access to the whole network if the account were to be compromised.

Mitigation: Audit

To prevent unauthorized data collection, strong account audit practices should be established. Robust auditing will enable the identification of accounts operating outside their normal procedures, such as creating copies of SQL data, and prevent this data from being exported to outside the network. Exporting such data can take a long time as attackers move slower to evade detection and bypass security controls; however, if attackers successfully steal this data, they would use it as their main tool to extort companies by threatening to release the data. Attackers do this because they know once sensitive data is released, news outlets will publicly report the data, and customers will need to be notified that their data was stolen, resulting in reputation damage and a reduction in consumer trust.

C2

Inc Ransom effectively employed the domain “palloaltonetworks[.]com” for their C2 operations. This domain is notably disguised to look like a legitimate Palo Alto domain to deceive security teams into thinking that web traffic is going to a benign domain, thereby evading detection. The Impacket module wmiexec.py was used to communicate with the C2 server and download additional files, including Rclone, that were used for conducting exfiltration. Two other files were downloaded through PowerShell commands, including 7zip and a file used to split up the collected data before exfiltration. PowerShell is common on Windows devices and allowed the attackers to obfuscate the executing commands for defense evasion. These files were then used to configure the stolen data before exfiltration.

Mitigation: Network Intrusion Prevention

Network intrusion detection and prevention systems can use network signatures to identify and stop malware execution or unusual data transfers over known protocols. In this attack, a device and policy to block or alert on domains created within the last six months would be effective at stopping this C2 communication as the attacker’s C2 domain “palloaltonetworks[.]com” was created only 4 months ago, on April 16, 2024. Had this policy been in place, the threat actor would not have been able to download the malicious files that facilitated exfiltration.

Exfiltration

In this attack, Rclone was used exclusively for exfiltration and allowed the attacker to send the data collected from the compromised SQL server remotely to their C2 server, where the data was then used for extortion. The extortion centered around the threat actor threatening to make sensitive data publicly available, which would damage the company’s brand, reduce customer’s trust in the company, and breach data compliance policies. While Rclone does have legitimate uses, we have observed it being used for exfiltration through cloud storage in 57% of all incidents investigated by ReliaQuest from September 2023 to July 2024. Inc Ransom also used another tool, split.exe, downloaded from the group’s C2 server to split 20GB of collected data into ten 2GB files. Large files transferred from a network are more likely to be detected than smaller ones, so the threat actor split the stolen data to hide their outbound data transfers, further improving the stealthiness of the attack. Although Rclone was used in this instance, Inc Ransom has used other open-source tools, namely Restic, to carry out exfiltration, underscoring the group’s versatility and competency.

Mitigation: Restrict Web-Based Content and Application Controls

Web proxies can be used to enforce an external network communication policy that prevents the use of unauthorized external services, like untrustworthy cloud-hosting sites, to which an attacker could send compromised data. Intrusion prevention systems and group policy objects (GPOs) can be configured to enforce application management. If tools like Rclone are not used within the environment for legitimate purposes, they should be blocked, since these tools can facilitate data transfer for exfiltration.

Defense Evasion

Impacket was used in an encoded command to clear system logs that record the threat actor’s malicious activity. Encoding, such as base64 encoding, is used to obfuscate malicious commands. Most detections look for specific commands, such as Invoke-WebRequest, which can indicate a file download. When encoded, this command becomes SW52b2tlLVdlYlJlcXVlc3Q=, which makes keyword-matching impossible in commands and forces the use of other detection methods. The process wevtutil was also used to clear all event logs on the host, such as the security, system, setup, and forwarded logs. Wevtutil is the Windows OS process responsible for managing logs on an endpoint. By removing these logs, Inc Ransom attempted to avoid detection and additional investigation, which would allow the group to progress their attack further and maintain their access to the environment. Additionally, Impacket was used to clear all files within a folder, likely to clean up the files after they were used, again preventing detection or further analysis.

Mitigation: Remote Data Storage

Security teams should automatically forward events to a log server or data repository to prevent conditions in which the attacker can locate and manipulate data on the local system. The use of a Windows Event Forwarder or Syslog server can allow logs to be temporarily stored and load-balanced before they are sent to a storage server, which can help quickly remove the logs from a compromised host and reduce the risk of the logs being deleted by adversaries.

 

Conclusion

Initial access was likely gained through a vulnerable firewall, showing the importance of strict patch management of perimeter devices. In this incident, Inc Ransom relied on a familiar array of tactics, techniques, and procedures (TTPs), including tools—like Rclone and Impacket—that we consistently see in attacks. This highlights that attackers will take the path of least resistance whenever possible and the importance of having solutions for these common tactics and tools to ensure a strong defense. During this attack, ReliaQuest assisted the customer with investigations, helping them map the attack in detail. We also provided log source and detection hardening recommendations to enhance their security posture.

This attack highlights the dangers of service account “scope creep” and the use of unauthorized tools by demonstrating that service accounts can be exploited to hide malicious activity among network noise and attackers can abuse the high-level permissions these accounts have to execute malicious tools. Considering the similarities of this current attack to our previously reported Inc Ransom attack and our observations from other attacks, it is highly likely these tactics and tools will continue to be used. Measures like strong application controls, strict account management and delegation, and remote data storage could have limited the threat actors’ reach and impact by stopping this attack earlier in its lifecycle. Following the steps detailed in this report can strengthen your security posture, enabling you to more effectively detect and respond to ransomware and other malicious attacks, reducing your MTTC, and halting an attack early in the attack life cycle.