Key Points

  • A ReliaQuest customer was named on the “Inc Ransom” data-leak site, indicating they had been targeted by a ransomware attack in April 2024.
  • Since 2023, Inc Ransom has practiced double-extortion ransomware attacks; in this attack, the threat actors likely obtained access by exploiting an unpatched vulnerability.
  • An investigation by ReliaQuest found Inc Ransom had installed remote monitoring and management (RMM) tools, used pass-the-hash to move laterally, and compromised a Domain Admin account before exfiltrating data.
  • Prioritizing patch management, ensuring proper network segmentation, and implementing host-based controls to prevent the execution of unauthorized software can reduce attack surface and increase the difficulty for threat actors to accomplish their objectives.

In April 2024, ReliaQuest responded to an extortion campaign affecting a customer. The attack was conducted by the “Inc Ransom” ransomware group, which is often a double-extortion operation. In this case, notably, no encryption was involved.

This report details the lifecycle of the ransomware attack, beginning with initial access via the exploitation of CVE-2023-48788 on an internet-facing Fortinet endpoint management server (EMS), followed by installation of AnyDesk, a remote monitoring and management (RMM) tool. Using pass-the-hash techniques, the threat actors moved laterally and used netscan.exe to conduct network reconnaissance from a compromised domain admin account. The attack culminated in data exfiltration and additional post-exploitation activities, including the installation of another RMM tool on the Fortinet EMS server.

We examine the legitimate tools employed by Inc Ransom and offer actionable prevention and mitigation strategies to help organizations strengthen their defensive measures and reduce the impact of similar ransomware attacks.

Inc Ransom Overview

Emerging in July 2023, Inc Ransom is a double-extortion operation renowned for its extortion tactics and its claims it will help companies improve their security posture and save their reputation if they pay a ransom. Despite these claims, Inc Ransom is highly likely to be financially motivated: The group targets critical systems, disrupting essential operations to increase the chance affected organizations will pay ransoms to regain functionality. Like other double-extortion ransomware groups, Inc Ransom exfiltrates and threatens to leak victim data online if its demands are not satisfied. The group has targeted a wide array of industries, including healthcare, education, and government, naming over 120 entities to its data-leak site since mid-2023.

Inc Ransom typically uses spearphishing and exploits vulnerabilities to achieve initial access before conducting network reconnaissance using tools like netscan.exe and megasyncsetup64.exe, facilitating lateral movement and target identification for encryption. After encryption, Inc Ransom disseminates ransom notes across affected systems, including to connected printers, to ensure its ransom demands are clearly communicated. Finally, Inc Ransom seeks to undermine recovery efforts by attempting to delete Volume Shadow Copies.

Attack Lifecycle

Despite limited visibility, we observed the threat actor using primarily open-source and freely available commercial tools throughout the intrusion. Tools such as netscan.exe, AnyDesk, and Bitvise are not uncommon in enterprise networks and help the threat actor blend in with legitimate activity. However, this was the first time we have observed the backup utility Restic used for exfiltration. While not novel, it is an interesting shift from the usual exfiltration tools used in ransomware such as Rclone and WinSCP. The impacted organization was undergoing a penetration test that intersected with the intrusion, which caused some confusion and led to some true-positive detections being initially attributed to security testing.

Initial Access

By collaborating with the impacted organization, ReliaQuest was able to trace back the earliest observed activity, execution of the RMM tool AnyDesk at the beginning of April, to an internet-facing Fortinet EMS server. This server was vulnerable to CVE-2023-48788, a SQL injection vulnerability that could allow unauthorized code or command execution. The vulnerability was disclosed in mid-March and active exploitation was reported shortly after a proof-of-concept (PoC) exploit was released on March 21, 2024. We did not observe direct evidence of CVE-2023-48788 exploitation; however, it is likely that exploitation provided initial access given the origin of the attack.

Mitigation: Asset Management and Patching Perimeter Devices

Internet-facing devices are frequent targets for threat actors. Weaknesses in security controls and vulnerabilities in these devices can provide attackers with easy access into a network if left unchecked. To reduce the risk, maintain an up-to-date list of assets complete with software versions, asset role, and asset owner. Critical vulnerabilities can sometimes be exploited by threat actors just days after they are disclosed. Knowing what you have and where can speed up emergency patch procedures and close weaknesses before they are exploited.

Discovery

Our investigation revealed the network scanning tool NetScan was executed on the beachhead Fortinet EMS server. SoftPerfect NetScan is a legitimate tool that is often abused by threat actors for network discovery in a compromised environment. The tool can be used to perform port scanning and network share discovery and retrieve information about network devices over various protocols. Throughout the intrusion, we also observed NetScan execution and corresponding network-share enumeration originating from additional compromised hosts. This indicates the threat actor may have been performing scans as they moved laterally to other hosts in the network to discover which had access to other servers, file shares, or network segments of interest. Additionally, the continuous use of NetScan during the intrusion cements it as a favored TTP.

Mitigation: Network Segmentation

Ensuring proper network segmentation of edge devices can limit the amount of information a threat actor can discover on the network, increasing the difficulty and time it takes to identify and access critical systems and sensitive data. Network-based controls should be implemented to allow these devices to communicate only over specific protocols and with specific devices needed for operation.

Credential Access

Our investigation also revealed that the threat actor exported a copy of the Security Account Manager (SAM) database, which contains usernames and passwords for local accounts on a Windows machine, from the local machine hive on the beachhead Fortinet server. Compromising additional local accounts on the machine could allow the attacker to authenticate to other hosts that share those local accounts. The threat actor was also seen attempting to use the Impacket tool secretsdump.py to gather credentials from additional hosts on the network.

It is likely the threat actor was gathering as many credentials as possible to facilitate the level of privilege they sought. Eventually, they gained access to a service account with domain administrator rights. Using this account, the threat actor moved laterally to a domain controller (DC), as well as additional servers of interest, and ultimately exfiltrated data from a file server.

Mitigation: Host-based Controls and Account Auditing

To mitigate credential compromise, ensure EDR coverage on all supported devices to detect and prevent accessing credential stores. EDR technologies have built-in detections for identifying these techniques and can support additional custom rules. Controls such as Local Security Authority (LSA) protection and Credential Guard can also protect credentials stored on a machine and should be implemented where possible. Additionally, regularly audit privileged accounts to determine their footprint in the environment and identify those with weak passwords. Limiting the exposure of these accounts can hinder attackers from obtaining privileges needed to move laterally and accomplish their objectives.

Privilege Escalation and Defense Evasion

We recently observed an attack that achieved privilege escalation and defense evasion using a bring-your-own-vulnerable-driver (BYOVD) tactic, dropping the vulnerable driver “wnbios.sys” in the user’s Documents folder. This file worked with another executable, “disabler.exe,” to escalate privileges and bypass certain EDR detections, facilitating defense evasion.

The loss of endpoint visibility left the ReliaQuest team unable to confirm how these files operated further within the network. However, research indicates that “wnbios.sys” works through kernel privilege escalation. The parent file “disabler.exe” was identified to be related to the open-source tool “EDR Sandblast,” which allows a vulnerable signed driver to bypass EDR detections and LSASS protections.

Mitigation: Limit Software Installation

To mitigate privilege escalation that uses the BYOVD with signed vulnerable drivers, restrict software installation to trusted repositories only and be cautious of orphaned software packages that could possibly be exploited if left on the host. Orphaned software packages are package files that are no longer referenced by any repositories but remain on the file system and consume disk space. Restricting this access will prevent an attacker from dropping their vulnerable drivers onto the host.

Lateral Movement and Command-and-Control

Although limited logging prevented the mapping of a complete attack path, early attack detections indicated the threat actor was using pass-the-hash to authenticate to other machines and perform malicious actions. Given that we observed activity that aligned with the use of Impacket secretsdump.py around this time, it is likely other common Impacket tools such as smbexec or wmiexec were used to move laterally to other key devices in the network. On one occasion, the threat actor was observed using psexec to run commands on a remote host.

Throughout the intrusion, the threat actor used various RMM tools for command-and-control (C2)—the installation of AnyDesk on the beachhead host was the earliest observed activity. The RMM tool SimpleHelp was also installed, along with a Bitvise Secure Shell (SSH) server. We suspect these additional forms of remote access were installed to provide redundant methods of persistence, and SimpleHelp may have provided the threat actor with better capabilities than AnyDesk.

We also observed network traffic to an IP address that we had already tracked as a Sliver C2 server. Sliver is an open-source C2 framework designed for red teaming and penetration testing. Traffic to this C2 server occurred for a few minutes and seemingly did not result in a successful connection. Sliver has gained popularity amongst threat actors and has become a popular alternative to commercial red team tools, like Cobalt Strike.

Mitigation: Network Segmentation and Account Management

In addition to mitigating efforts in the discovery phase, network segmentation is essential to limiting movement to critical systems such as domain controllers and file shares. Limiting communication to only necessary protocols can reduce the attack surface. Additionally, ensure accounts are configured following the principle of least privilege. Consider using Local Administrator Password Solution (LAPS), which ensures local admin accounts are set with unique passwords across devices.

Mitigation: Security Controls for RMM Software

RMM software has grown in popularity among ransomware actors to establish remote access. Identifying legitimately used tools in the environment can help to establish a baseline and create controls to prevent the use of unauthorized tools. Controls such as AppLocker and Software Restriction Policies (SRP) in Active Directory can be used to only allow authorized RMM software in the environment. Additionally, network controls can be configured on firewalls and forward proxies to prevent traffic to infrastructure categorized as remote access. For more details about controls related to RMM tools see our report on RMM tool abuse.

Impact

Ten days after the earliest known activity, a scheduled task was executed on two separate file-share servers. This task was scheduled to run daily and execute a PowerShell script with system permissions.

schtasks /create /sc daily /tn "Recovery Diagnostics" /tr "powershell.exe -file C:\Users\Public\Documents\new.ps1" /st 11:05 /ru system

The PowerShell script launched a file in the C:\Windows\System32\ directory—named to blend in as a Windows update file—which we suspect to be the backup utility, Restic. Restic is a free, open-source, cross-platform software that can back up and sync changes to various online services or a self-hosted storage location. Specific file paths on the file-share servers were specified by the threat actor and the data was synced to an attacker-controlled server, effectively exfiltrating the contents of the share.

After data was exfiltrated, there was a dormant period of a few days before activity was observed again on the beachhead Fortinet server, and the actor was evicted. No ransomware was deployed during the intrusion, meaning none of the customer’s files were encrypted. However, given Inc Ransom’s history of double-extortion operations, it is realistically possible that the threat actor was planning to stage their encryptor to deploy ransomware in the environment after the slight dormant period.

Mitigation: Network Controls and Restriction of Unauthorized Software

Defending against exfiltration can be difficult and often requires a layered approach. First, implement stronger controls on file-share servers with tools like AppLocker and SRPs to restrict software execution to only authorized applications. Additionally, limit outbound communication to only necessary destinations and protocols. This can prevent exfiltration of data directly to attacker-controlled infrastructure requiring data to be staged elsewhere first, increasing the chances of detection before the data is stolen.

Conclusion

As is the case with many ransomware intrusions, the threat actors in this case used a familiar set of TTPs. Initial access was gained through targeting of a vulnerable internet-facing server leading to installation of the RMM tool AnyDesk. Network discovery was accomplished using NetScan while the Impacket tool secretsdump.py was used to gather additional credentials. Compromise of a service account with domain admin privileges provided the threat actor with permissions to access critical systems and initiate data exfiltration with the backup utility Restic. These are tried-and-true techniques that provide continued success if proper hardening and detections are not put in place.

In this case, swift patch management prioritizing internet-facing devices, application controls to prevent execution of unauthorized software, and automated respond and containment plays could have limited the threat actors’ reach within the network mitigating the impact from data theft. Implementing the steps outlined in this report can increase your security posture and better position you to quickly detect and remediate attacks posed by ransomware and other threat actors.