INC Ransomware Gang’s Security Failure Exposes Stolen Data from 12 U.S. Organizations
In a significant operational security lapse, researchers at Cyber Centaurs, a digital forensics and incident response firm, uncovered data exfiltrated by the INC ransomware gang from 12 U.S. organizations across healthcare, manufacturing, technology, and service sectors. The discovery stemmed from an investigation into a ransomware attack on a U.S. client in November 2023, where the RainINC variant was deployed via the PerfLogs directory a Windows-created folder increasingly abused by threat actors for staging.
During the forensic analysis, researchers identified remnants of the legitimate backup tool Restic, which the INC gang had used in previous attacks but not in the current incident. This led to a shift in focus toward the gang’s infrastructure, where hardcoded credentials, PowerShell scripts (including a Base64-encoded ‘new.ps1’ file), and backup commands revealed a pattern of long-term data retention. The gang had reused Restic-based storage repositories across multiple campaigns, leaving encrypted victim data accessible even after ransom negotiations concluded.
Cyber Centaurs developed a non-destructive enumeration process to validate their hypothesis, confirming the presence of stolen data from unrelated organizations none of which were their clients. After decrypting the backups, the team preserved copies and coordinated with law enforcement to verify ownership and ensure proper handling.
The investigation also exposed the gang’s broader toolkit, which included cleanup utilities, remote access software, and network scanners. To aid defenders, Cyber Centaurs released YARA and Sigma rules to detect Restic or its renamed variants in suspicious locations, potentially flagging early-stage ransomware activity.
INC ransomware, a ransomware-as-a-service (RaaS) operation active since mid-2023, has targeted high-profile victims, including Yamaha Motor, Xerox Business Solutions, Scotland’s NHS, McLaren Health Care, and the Texas State Bar. This breach highlights the risks of reused attacker infrastructure and the potential for recovering stolen data even after an attack concludes.
Yamaha Motor Co., Ltd. cybersecurity rating report: https://www.rankiteo.com/company/yamaha-motor-company
Xerox cybersecurity rating report: https://www.rankiteo.com/company/xerox
"id": "YAMXER1769102615",
"linkid": "yamaha-motor-company, xerox",
"type": "Ransomware",
"date": "11/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Healthcare',
'Manufacturing',
'Technology',
'Services'],
'location': 'U.S.',
'type': ['Healthcare',
'Manufacturing',
'Technology',
'Service']},
{'industry': 'Manufacturing',
'name': 'Yamaha Motor',
'type': 'Corporation'},
{'industry': 'Technology',
'name': 'Xerox Business Solutions',
'type': 'Corporation'},
{'industry': 'Healthcare',
'location': 'Scotland',
'name': 'Scotland’s NHS',
'type': 'Healthcare'},
{'industry': 'Healthcare',
'location': 'U.S.',
'name': 'McLaren Health Care',
'type': 'Healthcare'},
{'industry': 'Legal',
'location': 'U.S.',
'name': 'Texas State Bar',
'type': 'Government/Professional Organization'}],
'attack_vector': 'PerfLogs directory (Windows-created folder abused for '
'staging)',
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Stolen data (sensitive, '
'unspecified)'},
'date_detected': '2023-11',
'description': 'Researchers at Cyber Centaurs uncovered data exfiltrated by '
'the INC ransomware gang from 12 U.S. organizations across '
'healthcare, manufacturing, technology, and service sectors. '
'The discovery stemmed from an investigation into a ransomware '
'attack on a U.S. client in November 2023, where the RainINC '
"variant was deployed via the PerfLogs directory. The gang's "
'operational security lapse exposed stolen data due to reused '
'infrastructure and hardcoded credentials.',
'impact': {'data_compromised': 'Stolen data from 12 organizations',
'identity_theft_risk': 'High (due to data exfiltration)'},
'initial_access_broker': {'entry_point': 'PerfLogs directory'},
'investigation_status': 'Ongoing (coordination with law enforcement)',
'lessons_learned': 'The incident highlights the risks of reused attacker '
'infrastructure and the potential for recovering stolen '
'data even after an attack concludes.',
'motivation': 'Financial gain (Ransomware-as-a-Service)',
'post_incident_analysis': {'corrective_actions': 'Development of '
'non-destructive enumeration '
'processes to validate and '
'recover stolen data; '
'release of YARA and Sigma '
'rules for detection.',
'root_causes': 'Operational security lapse due to '
'reused infrastructure, hardcoded '
'credentials, and long-term data '
'retention practices.'},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'RainINC'},
'recommendations': 'Defenders should monitor for Restic or its renamed '
'variants in suspicious locations using YARA and Sigma '
'rules to detect early-stage ransomware activity.',
'references': [{'source': 'Cyber Centaurs'}],
'response': {'law_enforcement_notified': True,
'third_party_assistance': 'Cyber Centaurs (Digital Forensics and '
'Incident Response Firm)'},
'threat_actor': 'INC Ransomware Gang',
'title': 'INC Ransomware Gang’s Security Failure Exposes Stolen Data from 12 '
'U.S. Organizations',
'type': 'Ransomware'}