INC Ransomware

INC Ransomware has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment.^[2][3]

INC Ransomware can run CryptStringToBinaryA to decrypt base64 content containing its ransom note.^[4]

INC Ransomware can identify external USB and hard drives for encryption and printers to print ransom notes.^[4]

INC Ransomware can encrypt data on victim systems, including through the use of partial encryption and multi-threading to speed encryption.^{[1][2][4][5][1]}

INC Ransomware can receive command line arguments to encrypt specific files and directories.^[4][1]

INC Ransomware can issue a command to kill a process on compromised hosts.^[4]

INC Ransomware can use the API DeviceIoControl to resize the allocated space for and cause the deletion of volume shadow copy snapshots.^[4]

INC Ransomware can push its encryption executable to multiple endpoints within compromised infrastructure.^[2]

INC Ransomware can discover and mount hidden drives to encrypt them.^[4]

INC Ransomware can delete volume shadow copy backups from victim machines.^[4]

INC Ransomware has the ability to check for shared network drives to encrypt.^[4]

INC Ransomware can verify the presence of specific drivers on compromised hosts including Microsoft Print to PDF and Microsoft XPS Document Writer.^[4]

INC Ransomware can use the Microsoft Win32 Restart Manager to kill processes with a specific handle or that are accessing resources it wants to encrypt.^[4]

INC Ransomware campaigns have used spearphishing emails for initial access.^[1]