Cyberdudebivash

INC Ransomware — Threat Analysis & Defender Playbook Prepared by CyberDudeBivash Threat Intelligence — updated Aug 31, 2025

Executive summary

INC Ransomware (also tracked as INC. / INC Ransom) surfaced in late 2022 and became a prominent double-extortion operation throughout 2023–2024, before rebranding into Lynx ransomware in mid-2024. Its encryptors are C++-based Windows payloads, designed for speed, evasion, and affiliate usability. INC pioneered aggressive exfil-before-encrypt tactics and targeted manufacturing, construction, and healthcare sectors globally. By its transition point, it had accumulated hundreds of victims, mainly across the US, Europe, and Asia-Pacific.

The group’s successor, Lynx, continues the technical and organizational model, but understanding INC is critical since many affiliates and toolchains are still active in the wild.

Origins and evolution

  • Discovery: First public cases appeared in Nov 2022, with leaked samples posted to malware repositories.
  • Growth phase (2023): Rapid adoption by affiliates due to customizable binary builder (operators could pick extensions, note names, and kill lists).
  • 2024 transition: Increasing overlap with Lynx ransomware; code and portal design strongly aligned, leading researchers to assess Lynx as INC’s rebrand/successor.
  • Victimology: Heavy focus on construction, engineering, manufacturing, professional services, with opportunistic targeting of education and local government.

Technical details & attack chain

Initial access — TA0001

  • VPN & RDP exposure: weak credentials or misconfigurations.
  • Exploited vulnerabilities: Citrix ADC, Fortinet FortiOS, and Microsoft Exchange (notably ProxyShell/ProxyNotShell).
  • Phishing & IABs: credential resale was common for affiliate access.

Execution & persistence — TA0002/TA0003

  • C++ Windows payloads launched via PsExec, GPO, or RDP.
  • Built-in process/service killers for SQLVeeamBackupExchange.
  • Wallpaper swap & ransom note drop in multiple dirs.

Discovery & lateral movement — TA0007/TA0008

  • Affiliates used Cobalt StrikeMimikatz, and Advanced IP Scanner.
  • PsExec widely deployed to push encryptors domain-wide.

Exfiltration — TA0010

  • Used WinRAR, Rclone, and MEGA/SFTP for data theft.
  • Exfil occurred before encryption, enabling double extortion.

Impact — TA0040

  • AES-CTR + Curve25519 hybrid crypto (fast/intermittent modes).
  • Appended .inc or campaign-specific extensions.
  • Dropped README.txt ransom notes with Tor portal links.
  • Intermittent encryption improved speed and lowered detection.

Artifacts & hunting cues

  • File markers: .inc extension, README.txt note.
  • Registry/Service abuse: sudden disablement of backup/AV services.
  • CLI indicators: INC encryptors supported flags for silent mode, encryption percent, and note suppression.
  • Network: outbound spikes of RAR archives + SFTP/MEGA uploads.

Defensive measures

  1. Patch edge services: FortiGate, Citrix ADC, Exchange.
  2. MFA everywhere: enforce phishing-resistant MFA on VPN/RDP.
  3. RMM/tunnel control: block unapproved AnyDesk/ScreenConnect; inventory PsExec usage.
  4. Backup resilience: maintain immutable/offline backups outside domain trust.
  5. Exfil monitoring: detect abnormal WinRAR + SFTP/MEGA patterns.
  6. EDR alerts: VSS deletion + service kill chains → followed by mass renames.

Rapid response playbook

  1. Contain — cut VPN/RDP sessions; isolate infected hosts.
  2. Preserve — snapshot VMs; pull logs (VPN, AD, EDR).
  3. Hunt — search for .incREADME.txt, VSS wipe, WinRAR exfil.
  4. Eradicate — patch exploited edge; rotate creds; remove persistence.
  5. Recover — restore from immutable backups.
  6. Notify — regulators & law enforcement; prepare disclosure.

Strategic impact

  • Rebrand risk: INC → Lynx means affiliates are still operational.
  • Sectors at risk: manufacturing, healthcare, and MSPs (via downstream clients).
  • Financials: Ransom demands often in the $5–15M USD range for large enterprises.
  • Legal exposure: GDPR, HIPAA, and SEC cyber disclosure rules apply to INC/Lynx-style breaches.

Sources & further reading

  • Unit 42 & Fortinet (2024): deep analysis of INC crypto routines and its transition to Lynx.
  • Nextron Systems (2024): C++ payload disassembly, AES-CTR + Curve25519 scheme.
  • Group-IB (2025): tracking INC-to-Lynx affiliate migration.
  • SC Media / ITPro (2025): context on MSP targeting.

#CyberDudeBivash #INCRansomware #Lynx #Ransomware #DoubleExtortion #DFIR #ThreatIntel #MITREATTACK #XDR #Cybersecurity

Leave a comment

Design a site like this with WordPress.com
Get started