Citrix and WhatsUp Gold: INC Ransomware Uses Rust-Based Windows and Linux/ESXi Encryptors in New Attacks

Citrix and WhatsUp Gold: INC Ransomware Uses Rust-Based Windows and Linux/ESXi Encryptors in New Attacks

INC Ransomware Emerges as a Top Global Threat, Targeting Critical Sectors with Rust-Based Encryptors

Since its emergence in mid-2023, INC ransomware has rapidly evolved into one of the most prolific ransomware operations, claiming over 800 victims worldwide. Operating under a Ransomware-as-a-Service (RaaS) model, the group recruits affiliates and equips them with advanced tools to scale attacks across industries.

Initially focusing on healthcare and education, INC has expanded its targeting to legal services, manufacturing, construction, and technology sectors under regulatory pressure and more likely to pay ransoms quickly. The group employs a double extortion tactic, encrypting files while threatening to leak stolen data on its leak site, compounding operational and reputational risks for victims.

A recent report from Acronis highlights significant technical advancements in INC’s toolkit. Both its Windows and Linux/ESXi encryptors have been rewritten in Rust, enabling cross-platform attacks with greater evasion capabilities. The updated Windows variant targets Veeam backup deployments, while the Linux/ESXi version optimizes encryption speed by distinguishing local disks from network shares. Both payloads use partial encryption to maintain system usability while ensuring ransom notes remain visible.

INC affiliates leverage legitimate remote access tools including CobaltStrike, AnyDesk, ScreenConnect, and TeamViewer to blend into normal IT activity. They also deploy process terminators like PsKill to disable endpoint defenses before exfiltrating data via rclone and 7-Zip. Credential theft has been refined to target salted DPAPI-encrypted Veeam backups.

The group’s influence extends beyond its core operations. Following the 2024 disruption of its source code seller, related ransomware families like Lynx and Knoba emerged with overlapping code, indicating the spread of INC’s tooling into adjacent threat groups.

Security researchers have identified multiple vulnerabilities exploited in INC attacks, including CVE-2023-3519 (Citrix NetScaler RCE), CVE-2023-4966 (Citrix Bleed), CVE-2023-35082 (SimpleHelp RMM), and CVE-2024-4885 (WhatsUp Gold RCE). Indicators of compromise (IoCs) include Rust-based encryptor hashes, abused legitimate tools, and ransom note filenames like INC-README.TXT.

Source: https://cybersecuritynews.com/inc-ransomware-uses-rust-based-windows/

Progress Software cybersecurity rating report: https://www.rankiteo.com/company/progress-software

Cloud Software Group cybersecurity rating report: https://www.rankiteo.com/company/cloudsoftwaregroup

"id": "PROCLO1781871843",
"linkid": "progress-software, cloudsoftwaregroup",
"type": "Vulnerability",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'customers_affected': 'Over 800 victims',
                        'industry': ['Healthcare',
                                     'Education',
                                     'Legal services',
                                     'Manufacturing',
                                     'Construction',
                                     'Technology'],
                        'location': 'Worldwide',
                        'type': ['Healthcare',
                                 'Education',
                                 'Legal services',
                                 'Manufacturing',
                                 'Construction',
                                 'Technology']}],
 'attack_vector': ['Exploitation of vulnerabilities',
                   'Legitimate remote access tools',
                   'Credential theft'],
 'data_breach': {'data_encryption': True, 'data_exfiltration': True},
 'description': 'Since its emergence in mid-2023, INC ransomware has rapidly '
                'evolved into one of the most prolific ransomware operations, '
                'claiming over 800 victims worldwide. Operating under a '
                'Ransomware-as-a-Service (RaaS) model, the group recruits '
                'affiliates and equips them with advanced tools to scale '
                'attacks across industries. The group employs a double '
                'extortion tactic, encrypting files while threatening to leak '
                'stolen data on its leak site, compounding operational and '
                'reputational risks for victims. Both its Windows and '
                'Linux/ESXi encryptors have been rewritten in Rust, enabling '
                'cross-platform attacks with greater evasion capabilities. The '
                'updated Windows variant targets Veeam backup deployments, '
                'while the Linux/ESXi version optimizes encryption speed by '
                'distinguishing local disks from network shares. Both payloads '
                'use partial encryption to maintain system usability while '
                'ensuring ransom notes remain visible.',
 'impact': {'brand_reputation_impact': 'Reputational risks due to data leaks',
            'data_compromised': 'Stolen data leaked on leak site',
            'operational_impact': 'Partial encryption to maintain system '
                                  'usability',
            'systems_affected': ['Windows', 'Linux/ESXi']},
 'motivation': ['Financial gain', 'Data exfiltration'],
 'post_incident_analysis': {'root_causes': ['Exploitation of vulnerabilities',
                                            'Use of legitimate remote access '
                                            'tools',
                                            'Credential theft']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': 'INC Ransomware'},
 'references': [{'source': 'Acronis Report'}],
 'threat_actor': 'INC Ransomware Group',
 'title': 'INC Ransomware Emerges as a Top Global Threat, Targeting Critical '
          'Sectors with Rust-Based Encryptors',
 'type': 'Ransomware',
 'vulnerability_exploited': ['CVE-2023-3519',
                             'CVE-2023-4966',
                             'CVE-2023-35082',
                             'CVE-2024-4885']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.