INC Ransom Group Exfiltrates Data Before Encrypting & Threatens Public Exposure

Hackers exfiltrate data first before encrypting it to increase their bargaining power during ransom negotiations. 

Threats of public exposure of private information accelerate up the urgency for victims to pay a ransom immediately.

Secureworks Counter Threat Unit researchers are tracking the INC Ransom group known as GOLD IONIC. 

INC Ransom Group Exfiltrate Data

Emerging in August 2023, this threat group employs double extortion tactics – exfiltrating data before encryption, then threatening public exposure to pressure victims into paying ransoms.

Between August 2023 and March 2024, the Tor leak site of GOLD IONIC published the names of 72 victims, adding 7 in April 2024. It has spread globally despite focusing on American victims from the industrial, healthcare, and education sectors.

Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

Try Free Demo

SecureWorks said that GOLD IONIC seems to be a solo group that encrypts files for ransom rather than having affiliates.

There appears to be a consistent pattern in monthly numbers, with possible exceptions posted as batched releases.

Like many financially motivated groups, GOLD IONIC conducts indiscriminate, opportunistic attacks across geographies and sectors.

However, most victims are U.S.-based organizations, with a significant gap to the second-most impacted country, the UK. 

The prevalence of Western victims and lack of those from Commonwealth of Independent States countries suggests the group likely operates out of Russia or a CIS nation. 

No sector stands out, though industrial, healthcare, and education organizations are the most common targets, with educational establishments over-represented compared to other ransomware groups from August 2023 to March 2024.

In Secureworks’ incident response engagements, GOLD IONIC consistently deploys INC ransomware. One case potentially involved initial access via the “Citrix Bleed” vulnerability (CVE-2023-4966), an initial vector favored by LockBit affiliates. 

Post-intrusion, the attacker dropped a Meterpreter shell, enumerated Active Directory, archived and exfiltrated over 70GB of data using WinRAR and Megasync, then copied the victim-named INC ransomware binary to over 500 systems and executed it remotely via PsExec to encrypt files. 

The INC ransom note instructs contacting the threat actor within 72 hours via a “.onion” address to avoid data leaks.

While the leak site resembles LockBit’s, there are no other known connections between the groups.

The INC Ransom leak site lists some victims of other ransomware groups. One case involved files and a ransom note format matching ALPHV ransomware by GOLD BLAZER.

Financially motivated affiliates may act in self-interest, even stealing data to post elsewhere with modified ransom contacts. 

Some affiliates have deployed up to seven ransomware families. While the dynamic affiliate-operator relationship could explain cross-posting on leak sites.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.