Saturday, October 12, 2024
HomeCyber CrimeINC Ransom Group Exfiltrates Data Before Encrypting & Threatens Public Exposure

INC Ransom Group Exfiltrates Data Before Encrypting & Threatens Public Exposure

Published on

Malware protection

Hackers exfiltrate data first before encrypting it to increase their bargaining power during ransom negotiations. 

Threats of public exposure of private information accelerate up the urgency for victims to pay a ransom immediately.

Secureworks Counter Threat Unit researchers are tracking the INC Ransom group known as GOLD IONIC. 

- Advertisement - SIEM as a Service

INC Ransom Group Exfiltrate Data

Emerging in August 2023, this threat group employs double extortion tactics – exfiltrating data before encryption, then threatening public exposure to pressure victims into paying ransoms.

Between August 2023 and March 2024, the Tor leak site of GOLD IONIC published the names of 72 victims, adding 7 in April 2024. It has spread globally despite focusing on American victims from the industrial, healthcare, and education sectors.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

SecureWorks said that GOLD IONIC seems to be a solo group that encrypts files for ransom rather than having affiliates.

There appears to be a consistent pattern in monthly numbers, with possible exceptions posted as batched releases.

Number of victims posted to GOLD IONIC’s leak site from August 2023 through March 2024 (Source – Secureworks)

Like many financially motivated groups, GOLD IONIC conducts indiscriminate, opportunistic attacks across geographies and sectors.

However, most victims are U.S.-based organizations, with a significant gap to the second-most impacted country, the UK. 

Geographic locations of victims posted to GOLD IONIC’s leak site (Source – Secureworks)

The prevalence of Western victims and lack of those from Commonwealth of Independent States countries suggests the group likely operates out of Russia or a CIS nation. 

No sector stands out, though industrial, healthcare, and education organizations are the most common targets, with educational establishments over-represented compared to other ransomware groups from August 2023 to March 2024.

Breakdown of sectors for victims posted to the GOLD IONIC leak site (Source – Secureworks)

In Secureworks’ incident response engagements, GOLD IONIC consistently deploys INC ransomware. One case potentially involved initial access via the “Citrix Bleed” vulnerability (CVE-2023-4966), an initial vector favored by LockBit affiliates. 

Post-intrusion, the attacker dropped a Meterpreter shell, enumerated Active Directory, archived and exfiltrated over 70GB of data using WinRAR and Megasync, then copied the victim-named INC ransomware binary to over 500 systems and executed it remotely via PsExec to encrypt files. 

The INC ransom note instructs contacting the threat actor within 72 hours via a “.onion” address to avoid data leaks.

While the leak site resembles LockBit’s, there are no other known connections between the groups.

Comparison of the LockBit (top) and INC Ransom (bottom) leak sites (Source – Secureworks)

The INC Ransom leak site lists some victims of other ransomware groups. One case involved files and a ransom note format matching ALPHV ransomware by GOLD BLAZER.

Donut Leaks warning about affiliates posting stolen data to other leak sites (Source – Secureworks)

Financially motivated affiliates may act in self-interest, even stealing data to post elsewhere with modified ransom contacts. 

Some affiliates have deployed up to seven ransomware families. While the dynamic affiliate-operator relationship could explain cross-posting on leak sites.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Dark Angels Ransomware Attacking Windows And Linux/ESXi Systems

The sophisticated ransomware group Dark Angels, active since 2022, targets large companies for substantial...

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...