A digital forensics firm discovered that the INC ransomware gang's reuse of backup tooling created a persistent, vulnerable infrastructure that allowed researchers to recover data stolen from multiple victims, highlighting critical operational security failures in ransomware-as-a-service operations.
The INC ransomware gang, a prolific ransomware-as-a-service (RaaS) operation, made a critical operational security error that allowed researchers to recover stolen data from a dozen U.S. organizations. The failure stemmed from the threat actor's routine reuse of the legitimate backup tool Restic across multiple campaigns, creating a persistent infrastructure that retained encrypted victim data long after initial attacks concluded.
The investigation was conducted by Cyber Centaurs, a digital forensics and incident response company, which began its work after a client organization detected ransomware encryption on a production SQL Server. The payload, identified as a RainINC ransomware variant, executed from the Windows PerfLogs directory—a location increasingly used by ransomware actors for staging malicious activity.
During the forensic examination, researchers noticed artifacts from Restic, a legitimate open-source backup tool. This discovery was significant because the threat actor had not used Restic in the current attack; data exfiltration had occurred during lateral movement using different methods. The presence of Restic artifacts suggested the tool was part of the attacker's broader operational toolkit, used selectively across different campaigns.
The Critical Infrastructure Exposure
Cyber Centaurs identified several key artifacts that pointed to systemic operational security failures:
- Renamed binaries: The attackers used names like 'winupdate.exe' to masquerade malicious executables
- PowerShell scripts: Specifically, a script named 'new.ps1' contained Base64-encoded commands for Restic
- Hardcoded configuration: The scripts included hardcoded environment variables containing access keys, repository paths, and S3 passwords for encrypted repositories
The researchers theorized that if INC routinely reused Restic-based infrastructure across campaigns, the storage repositories referenced in attacker scripts would likely persist as long-lived attacker-controlled assets. These repositories would quietly retain encrypted victim data well after negotiations ended or payments were made.
Validation and Recovery Process
To test this hypothesis, Cyber Centaurs developed a controlled, non-destructive enumeration process. This approach allowed them to confirm the presence of encrypted data stolen from 12 unrelated organizations across multiple sectors:
- Healthcare
- Manufacturing
- Technology
- Service sectors
All organizations were based in the United States, and none were Cyber Centaurs clients. The incidents represented distinct, unrelated ransomware events. After confirming the data's presence, the researchers decrypted the backups and preserved the copies while contacting law enforcement to help validate ownership and guide proper procedures.
Broader Implications for Ransomware Defense
The investigation revealed multiple tools used in INC ransomware attacks, including cleanup tools, remote access software, and network scanners. More importantly, it demonstrated how ransomware operators' operational security failures can create opportunities for data recovery even when victims don't pay ransoms.
Cyber Centaurs created YARA and Sigma rules to help defenders detect Restic backup tooling or its renamed binaries running from suspicious locations. These detection rules can signal ransomware attack development before encryption occurs, giving security teams a critical early warning.
Context: INC Ransomware's Notable History
INC ransomware emerged in mid-2023 and has claimed several high-profile victims, including:
- Yamaha Motor
- Xerox Business Solution
- Scotland's NHS
- McLaren Health Care
- Texas State Bar
- Ahold Delhaize
- Panama Ministry of Economy
- Pennsylvania AG Office
- Crisis24
This incident underscores a fundamental weakness in ransomware operations: the tension between operational efficiency and security. While reusing tools and infrastructure across campaigns reduces development overhead, it creates persistent vulnerabilities that defenders can exploit.
Practical Takeaways for Organizations
- Monitor for legitimate backup tool usage: The presence of Restic or similar backup tools in unusual contexts (like PerfLogs directories) should trigger investigation
- Implement YARA and Sigma rules: Organizations can deploy the detection rules created by Cyber Centaurs to identify potential ransomware staging activity
- Assume data persistence: Even if ransomware is detected and contained, assume stolen data may persist in attacker-controlled infrastructure
- Collaborate with law enforcement: When recovering stolen data, proper coordination with authorities ensures legal compliance and helps identify other victims
The INC ransomware case demonstrates that while ransomware operations continue to evolve, their operational security practices often lag behind their technical capabilities. These failures create opportunities for defenders, researchers, and law enforcement to disrupt operations and recover stolen data.
For organizations concerned about ransomware threats, the Cyber Centaurs findings reinforce the importance of comprehensive incident response planning that includes forensic analysis, infrastructure investigation, and coordination with external experts and authorities.
Comments
Please log in or register to join the discussion