Insights into ransomware attacks by INC Ransom

Valuable insights of the ransomware threat actor 
“INC Ransom"

We, the HvS IR team, handled a ransomware incident, where “INC Ransom” deliberately destroyed data and provided false information during negotiations. Furthermore, the ransomware group exploited a vulnerability in the FortiGate firewall from January 2025 (FG-IR-24-535). In this article, we share our findings and provide recommendations.

The attack was based on typical attack techniques, known vulnerabilities and widespread misconfigurations and thus fits into the typical pattern of ransomware attacks. Nevertheless, the attackers managed to completely encrypt the environment within 48 hours after the initial access. Several valuable lessons may be learned from the incident: 

Patching is critical 

Due to a recent misconfiguration in the firewall, the management interface was exposed to the internet. The firewall has been vulnerable for a longer time, but the vulnerabilities could not be exploited from the internet until that point. For this reason, we have been preaching for years that critical vulnerabilities must be patched promptly, regardless of whether the affected device or an affected service is accessible via the internet. A small configuration error can change everything, as in this case. 

Typical procedure for FortiGate firewalls 

Our various analyzed FortiGate incidents show that threat actors often use the following approach: 

• They configure a malicious user with the role “super_admin” within the FortiGate firewall to establish persistent access.
• They download the FortiGate configuration and extract secrets and credentials like RADIUS users, VPN pre-shared-keys and TLS certificates with another vulnerability: FG-IR-19-007.
• They change the SSL VPN config to allow abuse of the FortiGate access. 

Negotiation with INC Ransom 

Our negotiations with INC Ransom and the attack context revealed interesting results:

• They promised a decryption-tool for fast recovery, but they deleted multiple Hyper-V volumes, damaging them beyond repair. Even by paying a ransom, recovery would only have been possible from the backup.
• When we asked them about initial access and privilege escalation, INC Ransom provided false information, claiming that a FortiGate admin account was breached with a brute-force attack. However, we could rule out that scenario, because the respective account had a trust-host definition and could not have been breached from external. 

Impressive Speed 

Active Directory misconfigurations and weaknesses very often lead to a rapid domain compromise and allow ransomware actors quick and efficient exfiltration and encryption activity. In this case it took the attackers only 48 hours from initial access to full encryption. That's simply far too fast.

Our Recommendations 

• Patch critical vulnerabilities on publicly exposed components in combination with a mandatory compromise assessment. Focus in the assessment not only on current Indicators of Compromise (IOCs), but also on configuration’s integrity.
• Review your configured credentials and secrets on publicly exposed components thoroughly. Enforce the "principle of least privilege" and strictly avoid account or password reuse. 
     And another tip: use such service accounts as canary. For example, set an alert for a RADIUS user login from a different source than a related FortiGate.
• Active Directory hardening is crucial. Do regular PingCastle reviews with the goal of achieving a score below 50. Further LAPS and AD tiering should be adapted.
• Use our HvS IOCs to look for traces of the attacker in your own environment.

This attack highlights once again: security is not a product, it’s a process. Don’t rely on a single appliance exposed to the internet. Protection against ransomware attacks needs a security-in-depth approach with a variety of prevention, detection, and response measures. Missing one of these three pillars will likely lead to a fast compromise with almost no chances for an adequate reaction. 

Technical details of the attack

Course of Events 

INC Ransom gained initial access by exploiting the FortiGate firewall vulnerability FG-IR-24-535 (FortiOS 7.0.15). At an unknown point in time, the management interface of the unpatched firewall was accidentally exposed to the internet. The exploit allowed the attackers to create a malicious super_admin account. They then set up an SSL VPN configuration and used it for remote access to the victim’s network. The breached FortiGate was further abused to extract credentials of the Active Directory user configured for the RADIUS authentication (see FG-IR-19-007 for further details). This account allowed them to perform further analysis of the Active Directory domain and to locate weak configurations or vulnerabilities. Subsequently the actor performed a Kerberoasting attack and cracked the password of the built-in Domain Administrator account, which was also configured as a service principal for single service installations. 
 

With domain admin rights, INC Ransom moved laterally through the network using the Remote Desktop Protocol. They accessed the victim’s fileserver and exfiltrated well over 10000 files. Within 48 hours of the initial breach, the attackers deployed their ransomware on Hyper-V servers, using a variant of their crypter named win.exe. This caused widespread outages as most virtual machines were encrypted. In some cases, the actor had to manually execute the ransomware within a VM or even delet entire HyperV volumes. It is assumed that these workarounds were taken, when VMs could not be stopped or filesystem locks were not bypassed. Finally, a Meterpreter-based remote access trojan was executed on a hypervisor, likely as a fallback access method or to monitor the ongoing encryption. 

MITRE ATT&CK® tactics
 

Indicators of Compromise

To access directly via our MISP feed, use the following link:

View the IOCs

Alternatively, the IOCs are listed in the following table:

Category	Type	Indicator	Comment
Network activity	ip-dst	185.174.100.204	C2 channel of svchost.exe meterpreter sample
Network activity	url	http[://]185.174.100.204:443/L7RZw57VJ-b1dfR0k_tCyQtB1fJI8WowHQJSk54rTfUI2od24XrEIUzV5WGzx5fD0nPOwbVMrUfjFtDSZ8s8FudwarDyt7dL8gMPumRtXRv_ondaA99DiB1AmQDhTROOEB5RNqoBUGF7RO1eVLkzN4bgXoa9mjeqRlP1HJkpzxwa-XWfCySg54DfgGxSZPQAlpmdrTQwiPTmXmZzxGfhQBf	svchost.exe meterpreter C2 URI
Payload delivery	sha1	6e45db2cc4648a388fbd6f3d82c7da9c8e30187d	svchost.exe meterpreter sample
Payload delivery	filename	svchost.exe	svchost.exe meterpreter sample
Payload delivery	md5	2f000e0a52d6ee0c89f93fa5ab4c7e3c	svchost.exe meterpreter sample
Payload delivery	sha256	cf1ebd6fb534d65dd0e8164db9693988d5a4a645dd044beba578ab25c0033e66	svchost.exe meterpreter sample
Other	text	%PROGRAMDATA%\Microsoft\	svchost.exe meterpreter sample
Payload delivery	sha1	41b9a2ca27188c967a28a9b72950380cd0fa8e20	win.exe INC RANSOM crypter
Payload delivery	filename	win.exe	win.exe INC RANSOM crypter
Payload delivery	sha256	ef8bb466a368d5f564d05b54aea154b117847938c07627e85e3eb0e147296644	win.exe INC RANSOM crypter
Other	text	\Users\Administrator\Documents\x64	win.exe INC RANSOM crypter