Description
[INC Ransom](https://attack.mitre.org/groups/G1032) is a ransomware and data extortion threat group associated with the deployment of [INC Ransomware](https://attack.mitre.org/software/S1139) that has been active since at least July 2023. [INC Ransom](https://attack.mitre.org/groups/G1032) has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.(Citation: Bleeping Computer INC Ransomware March 2024)(Citation: Cybereason INC Ransomware November 2023)(Citation: Secureworks GOLD IONIC April 2024)(Citation: SentinelOne INC Ransomware)
Techniques Used (TTPs)
- T1486 — Data Encrypted for Impact (impact)
- T1562.001 — Disable or Modify Tools (defense-evasion)
- T1021.001 — Remote Desktop Protocol (lateral-movement)
- T1657 — Financial Theft (impact)
- T1047 — Windows Management Instrumentation (execution)
- T1566 — Phishing (initial-access)
- T1059.003 — Windows Command Shell (execution)
- T1537 — Transfer Data to Cloud Account (exfiltration)
- T1087.002 — Domain Account (discovery)
- T1074 — Data Staged (collection)
- T1071 — Application Layer Protocol (command-and-control)
- T1046 — Network Service Discovery (discovery)
- T1569.002 — Service Execution (execution)
- T1219 — Remote Access Tools (command-and-control)
- T1588.002 — Tool (resource-development)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1570 — Lateral Tool Transfer (lateral-movement)
- T1069.002 — Domain Groups (discovery)
- T1135 — Network Share Discovery (discovery)
- T1190 — Exploit Public-Facing Application (initial-access)
- T1070.004 — File Deletion (defense-evasion)
- T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1560.001 — Archive via Utility (collection)
- T1049 — System Network Connections Discovery (discovery)
Total TTPs: 25