Phase 1: Initial Access
Threat actors affiliated with INC Ransom typically achieve initial entry through two primary vectors. First, they exploit high-severity vulnerabilities in public-facing appliances, such as unpatched VPN gateways and remote access tools. Second, they utilize stolen credentials procured from initial access brokers or harvested through targeted phishing campaigns. Proactive Attack Surface Management is crucial for identifying these exposed entry points and vulnerable edge devices before adversaries can discover them.
Phase 2: Foothold and Internal Reconnaissance
Once initial entry is established, the attackers deploy legitimate remote monitoring and management (RMM) utilities, such as AnyDesk, ScreenConnect, Atera, or SimpleHelp. Using these legitimate tools allows the adversaries to maintain persistent access while flying under the radar of traditional endpoint detection tools. To map the internal network structure, they run utilities such as SoftPerfect Network Scanner (NETSCAN.EXE) and Advanced IP Scanner, identifying key active directories, backup repositories, and database servers.
Phase 3: Privilege Escalation and Lateral Movement
To escalate privileges, the group uses credential harvesting utilities such as Mimikatz and lsassy, alongside privilege assessment scripts like WinPEAS. Once administrative control is achieved, lateral movement is performed rapidly across the environment. This is accomplished using standard administrative channels, including Remote Desktop Protocol (RDP), PsExec, and Windows Management Instrumentation (WMI), allowing the attackers to pivot from low-privilege endpoints to high-value domain controllers.
Phase 4: Backup Tampering and Credential Theft
A key signature of INC Ransom operations is the systematic destruction of the victim's recovery capabilities. The threat actors routinely deploy specialized credential extraction scripts, such as HackTool.PS1.VeeamCreds, designed specifically to locate and decrypt salted DPAPI credentials associated with Veeam backup software. With these credentials, they compromise the backup infrastructure, deleting or encrypting backup catalogs first to block any attempt at offline system restoration.
Phase 5: Data Exfiltration
Before launching the final encryption phase, the stolen database files, patient charts, and financial records are compressed using WinRAR or 7-Zip. The staged archives are then exfiltrated to cloud storage repositories (such as MEGA) utilizing Rclone or specialized sync utilities. If credentials or files are leaked to the public, organizations need ongoing visibility. Implementing Dark Web Monitoring ensures that any exposed administrative accounts or exfiltrated files are immediately flagged for remediation.
Phase 6: Multi-Threaded Encryption
The final phase involves executing the multi-threaded Rust encryptor. This binary automatically terminates endpoint security agents, halts active database services, and begins rapid file encryption. It appends the ".inc" extension to all locked files. In a distinctive psychological tactic, commands are also sent to local network printers to continuously print physical copies of the ransom instructions (INC-README.TXT).