Hackers exfiltrate data first before encrypting it to increase their bargaining power during ransom negotiations.
Threats of public exposure of private information accelerate up the urgency for victims to pay a ransom immediately.
Secureworks Counter Threat Unit researchers are tracking the INC Ransom group known as GOLD IONIC.
INC Ransom Group Exfiltrate Data
Emerging in August 2023, this threat group employs double extortion tactics – exfiltrating data before encryption, then threatening public exposure to pressure victims into paying ransoms.
Between August 2023 and March 2024, the Tor leak site of GOLD IONIC published the names of 72 victims, adding 7 in April 2024. It has spread globally despite focusing on American victims from the industrial, healthcare, and education sectors.
Document
@import url('https://fonts.googleapis.com/css2?family=Poppins&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap');
*{
margin: 0; padding: 0;
text-decoration: none;
}
.container{
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
}
.container:hover{
box-shadow: 10px 10px 5px #e2ebff;
}
.container .title{
color: #015689;
font-size: 22px;
font-weight: bolder;
}
.container .title{
text-shadow: 1px 1px 1px lightgrey;
}
.container .title:after {
width: 50px;
height: 2px;
content: ' ';
position: absolute;
background-color: #015689;
margin: 20px 8px;
}
.container h2{
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
}
.container a{
color: #170d51;
}
.container p{
font-size: 18px;
line-height: 30px;
}
.container button{
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
}
.container button:hover{
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;
}
.container button a{
color: white;
}
hr{
/ display: none; /
}
Stop Advanced Phishing Attack With AI
AI-Powered Protection for Business Email Security
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by
other email security solutions. .
Try Free Demo
SecureWorks said that GOLD IONIC seems to be a solo group that encrypts files for ransom rather than having affiliates.
There appears to be a consistent pattern in monthly numbers, with possible exceptions posted as batched releases.
Number of victims posted to GOLD IONIC’s leak site from August 2023 through March 2024 (Source – Secureworks)
Like many financially motivated groups, GOLD IONIC conducts indiscriminate, opportunistic attacks across geographies and sectors.
However, most victims are U.S.-based organizations, with a significant gap to the second-most impacted country, the UK.
Geographic locations of victims posted to GOLD IONIC’s leak site (Source – Secureworks)
The prevalence of Western victims and lack of those from Commonwealth of Independent States countries suggests the group likely operates out of Russia or a CIS nation.
No sector stands out, though industrial, healthcare, and education organizations are the most common targets, with educational establishments over-represented compared to other ransomware groups from August 2023 to March 2024.
Breakdown of sectors for victims posted to the GOLD IONIC leak site (Source – Secureworks)
In Secureworks’ incident response engagements, GOLD IONIC consistently deploys INC ransomware. One case potentially involved initial access via the “Citrix Bleed” vulnerability (CVE-2023-4966), an initial vector favored by LockBit affiliates.
Post-intrusion, the attacker dropped a Meterpreter shell, enumerated Active Directory, archived and exfiltrated over 70GB of data using WinRAR and Megasync, then copied the victim-named INC ransomware binary to over 500 systems and executed it remotely via PsExec to encrypt files.
The INC ransom note instructs contacting the threat actor within 72 hours via a “.onion” address to avoid data leaks.
While the leak site resembles LockBit’s, there are no other known connections between the groups.
Comparison of the LockBit (top) and INC Ransom (bottom) leak sites (Source – Secureworks)
The INC Ransom leak site lists some victims of other ransomware groups. One case involved files and a ransom note format matching ALPHV ransomware by GOLD BLAZER.
Donut Leaks warning about affiliates posting stolen data to other leak sites (Source – Secureworks)
Financially motivated affiliates may act in self-interest, even stealing data to post elsewhere with modified ransom contacts.
Some affiliates have deployed up to seven ransomware families. While the dynamic affiliate-operator relationship could explain cross-posting on leak sites.
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP .
The post INC Ransom Group Exfiltrates Data Before Encrypting & Threatens Public Exposure appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
Top News
-
Cybercriminals Exploiting Microsoft’s Quick Assist Feature in Ransomware Attacks
The Microsoft Threat Intelligence team said it has observed a threat actor it tracks under the name Storm-1811 abusing the client management tool...
-
Người dùng Việt được hưởng lợi từ quy định an toàn với camera giám sát
Các chuyên gia bảo mật đều có chung nhận định rằng việc Bộ TT&TT ra bộ tiêu chí về yêu cầu an toàn thông tin cơ bản cho camera giám sát...
-
Phương thức sử dụng mật khẩu truyền thống không còn an toàn
Các giải pháp xác thực truyền thống như mật khẩu không còn an toàn trên không gian số, đòi hỏi cần có cách tiếp cận bảo mật hơn nhưng không đánh...
-
PoC Exploit Released For D-LINK RCE Zero-Day Vulnerability
Two critical vulnerabilities have been discovered in D-Link DIR-X4860 routers which were associated with Authentication bypass due to HNAP port...
-
Flipper Zero - một công cụ hacking thật tuyệt vời
Trong những ngày vừa qua sau khi được người bạn cho mượn chiếc Flipper Zero để sử dụng mình thấy khá hay và thú vị muốn chia sẻ nhanh cho mọi...