ReliaQuest reveals sophisticated Inc Ransom tactics in attack analysis

ReliaQuest has published an attack analysis of a ransomware incident by the group Inc Ransom, detailing an attack on a healthcare sector customer. The report reveals the methodologies and techniques employed by the threat actors during the intrusion.

According to the analysis, the initial access was likely gained through an exploited vulnerability in the customer’s firewall. The report clarifies that encryption did not occur during this attack. Instead, the attacker utilised the Impacket module wmiexec.py to move laterally within the internal network. Subsequently, the attacker deployed secretsdump.py to gain access to the credentials of additional service accounts on the network.

The compromised credentials included those of a service account responsible for managing SQL backups. The attacker used these credentials to create a backup of the internal SQL server, exfiltrating sensitive data. This method indicates a strategic approach to data theft, bypassing the common encryption and ransom demands typically associated with such attacks.

Throughout the intrusion, the threat actor was observed predominantly using open-source and commercial tools such as net.exe, wevtutil, and PowerShell. These tools, which have legitimate functions within corporate networks, can be used for network troubleshooting and log management. The choice of such tools highlights a significant challenge in detection, as the attacker mimicked legitimate network activities to evade initial detection.

This tactic increases both the mean time to detect (MTTD) and the mean time to contain (MTTC), allowing the attacker to advance further along the attack lifecycle. Additionally, the adversary downloaded the open-source tool RClone and other utilities from their command and control (C2) server. RClone is noted for its proficiency in handling extensive data transfers and its capability to target multiple cloud storage solutions, making it a favoured tool for data exfiltration.

The report also suggests that certain measures might have mitigated the scale and impact of the attack. Strong application controls, strict account management and delegation, and remote data storage could have constrained the adversary's reach, potentially halting the attack earlier in its lifecycle.

David Bell from Vocal PR shared the findings, underscoring the sophisticated nature of the Inc Ransom group’s methods. Threat actors' use of legitimate, widely available tools to mask their malicious activities poses a continued challenge to cybersecurity efforts. The dependency on these common tools for routine network management tasks indeed complicates detection and response mechanisms.

ReliaQuest’s detailed dissection of the attack provides significant insights into the evolving tactics of ransomware groups. By understanding the methods and tools employed in such incidents, organisations can better prepare and fortify their defences against similar threats in the future.

Due to the sensitive nature of the data involved, the healthcare sector, in particular, remains a critical target for cybercriminals. Hence, enhancing cybersecurity protocols and vigilance remains crucial in mitigating risks and protecting critical infrastructure from sophisticated cyberattacks.