Threat Profile of INC Ransom Ransomware

This document is a technical report detailing the threat profile of INC Ransom ransomware, first identified in July 2023. It operates using a double extortion method, where victim data is both encrypted and threatened with leakage via a data leak site if the ransom is not paid. The report outlines the initial access methods used by INC Ransom operators, which include social engineering and exploitation of valid credentials for external remote services. The ransomware's behavior is influenced by command line arguments, allowing it to conduct reconnaissance on victim organizations. The document describes the encryption process, including the use of multi-threading and partial encryption based on file size. It also notes the significant overlap in code between INC Ransom and Lynx Ransomware variants, highlighting their operational similarities. The report includes statistics on previous targets and regions affected, as well as known vulnerabilities exploited by the ransomware. Additionally, it provides a list of tools commonly used by the threat actors.