Critical
Ransomware-as-a-Service
Ransomware
INC Ransomware
Threat Hunting Guide
Comprehensive Threat Hunting Guide for INC Ransom / GOLD IONIC RaaS Operations
300+
Victims (2025)
11/mo
Avg Monthly Rate
48hrs-Weeks
Dwell Time
4-6 Hours
Hunt Duration
Download the Complete Hunting Guide
Includes all 10 hunt modules, 50+ detection queries, IOCs, MITRE mappings, and incident response procedures
1
Executive Summary
INC Ransomware - Critical Hunting Focus
- INC Ransom (GOLD IONIC) claimed 300+ victims in 2025, with healthcare as the most impacted sector
- Primary initial access via exploitation of Citrix NetScaler (CVE-2023-3519, CVE-2023-4966) and Fortinet (CVE-2023-48788, FG-IR-24-535)
- Double-extortion model: data theft via MEGASync, Rclone, Restic before encryption with .INC extension
- Vanilla Tempest (formerly Vice Society) attributed as key affiliate targeting US healthcare with Gootloader
- Typical dwell time of 48 hours to several weeks provides window for detection and response
Ransomware Source Code Sold - Derivative Threats Active
In March 2024, INC ransomware source code (Windows + Linux/ESXi) was listed for sale at $300,000 on hacking forums. Unit 42 confirmed significant code overlap between INC and Lynx ransomware (48% Windows, 91% Linux), indicating active derivative threats. In January 2026, an operational security failure in INC infrastructure allowed data recovery for 12 US organizations from reused Restic backup repositories.
INC Ransomware is a Ransomware-as-a-Service (RaaS) operation first observed in July 2023. Tracked by Secureworks as GOLD IONIC and cataloged by MITRE as G1032, the group employs a double-extortion model combining data theft with file encryption. INC operators have claimed over 300 victims in 2025 alone, with healthcare as the most impacted sector according to MOXFIVE incident response data.
The group gains initial access primarily through exploitation of internet-facing appliances, notably Citrix NetScaler (CVE-2023-3519, CVE-2023-4966) and Fortinet products (CVE-2023-48788, FG-IR-24-535). Post-compromise, operators deploy a combination of legitimate remote management tools (AnyDesk, ScreenConnect, TightVNC) and offensive tooling (Impacket, lsassy.py, Meterpreter) for credential harvesting, lateral movement, and data exfiltration via MEGASync, Rclone, and Restic.
This guide provides 10 structured hunt modules to systematically detect INC Ransom pre-encryption activity across your environment, from initial access indicators through data exfiltration to ransomware execution artifacts. Typical dwell time before encryption is 48 hours to several weeks, providing a window for detection and response.
2
Hunt Modules
1
Initial Access - Exploited Public-Facing Applications
2
Credential Access - Credential Dumping & Kerberoasting
3
Unauthorized Remote Management Tools
4
Network Reconnaissance & Discovery
5
Defense Evasion - Security Tool Termination
6
Data Staging & Exfiltration
7
Lateral Movement - RDP & PsExec
8
Persistence Mechanisms
9
ESXi & Hypervisor Targeting
10
Ransomware Execution Artifacts
3
Detection Rules
Citrix/Fortinet Exploitation Detection
Detects exploitation attempts targeting Citrix NetScaler and Fortinet appliances used for INC initial access
# Hunt 1a: Citrix NetScaler exploitation indicators index=web OR index=proxy sourcetype=citrix* | search (uri_path="*gateway*" OR uri_path="*vpn*") AND (status>=500 OR http_method="POST") | stats count by src_ip, uri_path, status | where count > 20 # Hunt 1b: Fortinet exploitation indicators index=network sourcetype=fortinet* | search (event_type="utm" OR event_type="attack") AND (attack_name="*SQL*" OR attack_name="*injection*") | stats count by src_ip, dest_ip, attack_name # Hunt 1c: New SSL VPN configuration (FG-IR-24-535 post-exploit) index=network sourcetype=fortinet* | search action="config" AND (config_object="vpn.ssl.web.portal" OR config_object="user.local") | stats count by admin_user, config_object, action
LSASS Credential Dumping Detection
Detects credential harvesting via lsassy.py, secretsdump.py, and LSASS memory access patterns
# Hunt 2a: LSASS memory access (credential dumping)
index=edr sourcetype=sysmon EventCode=10
| search TargetImage="*\lsass.exe"
AND (GrantedAccess="0x1010" OR GrantedAccess="0x1038" OR GrantedAccess="0x1FFFFF")
AND NOT SourceImage IN ("*\MsMpEng.exe", "*\csrss.exe", "*\svchost.exe")
| stats count by SourceImage, TargetImage, GrantedAccess, host
# Hunt 2b: Python-based credential tools (lsassy, secretsdump)
index=edr (process_name="python.exe" OR process_name="python3.exe")
| search (command_line="*lsassy*" OR command_line="*secretsdump*"
OR command_line="*wmiexec*" OR command_line="*impacket*")
| stats count by host, user, command_line
# Hunt 2c: Kerberoasting detection (Event 4769, RC4 encryption)
index=wineventlog EventCode=4769 Ticket_Encryption_Type=0x17
| search Service_Name!="krbtgt" AND Service_Name!="*$"
| stats count by Account_Name, Service_Name, Client_Address
| where count > 5
# Hunt 2d: Veeam credential harvesting
index=edr (process_name="powershell.exe" OR process_name="pwsh.exe")
| search (command_line="*VeeamCreds*" OR command_line="*Get-VBRCredentials*"
OR command_line="*Veeam.Backup*")
| stats count by host, user, command_line
Unauthorized Remote Admin Tools
Detects AnyDesk, ScreenConnect, TightVNC, or PuTTY installations on unauthorized systems
# Hunt 3a: RMM tool process execution on non-approved hosts
index=edr sourcetype=process_creation
| search process_name IN (
"AnyDesk.exe", "anydesk.exe",
"ScreenConnect.Client.exe", "ScreenConnect.WindowsClient.exe",
"tvnserver.exe", "tvnviewer.exe",
"putty.exe", "plink.exe"
)
| stats count earliest(_time) as first_seen latest(_time) as last_seen by host, process_name, user
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S")
| eval last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
# Hunt 3b: RMM tool installation artifacts
index=edr sourcetype=file_creation
| search (file_path="*\AnyDesk*" OR file_path="*\ScreenConnect*"
OR file_path="*\TightVNC*")
AND file_path="*Program Files*"
| stats count by host, file_path
# Hunt 3c: RMM service creation
index=wineventlog EventCode=7045
| search (Service_Name="*AnyDesk*" OR Service_Name="*ScreenConnect*"
OR Service_Name="*tvnserver*")
| stats count by host, Service_Name, Service_File_Name
Security Tool Termination
Detects attempts to disable security tools using ProcessHacker, ProcTerminator, or service stop commands
# Hunt 5a: Process termination tool execution
index=edr sourcetype=process_creation
| search process_name IN ("ProcessHacker.exe", "processhacker.exe",
"ProcTerminator.exe", "procterminator.exe",
"PCHunter.exe", "pchunter.exe",
"KillAV.exe")
| stats count by host, user, process_name, parent_process_name
# Hunt 5b: Security process termination (Event-based)
index=edr
| search (event_type="process_terminate" OR event_type="process_end")
AND process_name IN (
"MsMpEng.exe", "MsSense.exe", "SentinelAgent.exe",
"CylanceSvc.exe", "CSFalconService.exe", "cb.exe",
"SophosAgent.exe", "bdagent.exe"
)
| stats count by host, process_name, parent_process_name
| where count > 0
# Hunt 5c: Tamper protection alerts or service stops
index=wineventlog EventCode=7036
| search (Service_Name="*Defender*" OR Service_Name="*Endpoint*"
OR Service_Name="*Sentinel*" OR Service_Name="*CrowdStrike*")
AND Service_State="stopped"
| stats count by host, Service_Name
Shadow Copy Deletion / Ransomware Execution
Detects shadow copy deletion, ransom note creation, .INC file encryption, and known INC binary indicators
# Hunt 10a: Ransom note creation
index=edr sourcetype=file_event
| search file_name IN ("INC-README.TXT", "INC-README.HTML")
AND event_type="file_create"
| stats count by host
# Hunt 10b: Mass file encryption indicator (.INC extension)
index=edr sourcetype=file_event
| search file_name="*.INC" AND event_type="file_modify"
| stats count by host
| where count > 10
# Hunt 10c: Shadow copy deletion
index=edr sourcetype=process_creation
| search (
(process_name="vssadmin.exe" AND command_line="*delete*" AND command_line="*shadow*")
OR
(process_name="wmic.exe" AND command_line="*shadowcopy*" AND command_line="*delete*")
)
| stats count by host, process_name, command_line
# Hunt 10d: Known INC binary indicators
index=edr sourcetype=process_creation
| search (
process_name="win.exe"
OR original_file_name="INC Encryptor*"
OR file_description="INC Encryptor*"
)
| stats count by host, process_name, file_hash
# Hunt 10e: Mass service stop commands (pre-encryption)
index=edr sourcetype=process_creation
| search process_name="net.exe" AND command_line="*stop*"
| stats count by host
| where count > 5
Citrix/Fortinet Exploitation Detection
Detects exploitation attempts targeting Citrix NetScaler and Fortinet appliances used for INC initial access
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor == "Citrix" or DeviceVendor == "Fortinet"
| where RequestURL has_any ("gateway", "vpn")
and (SentBytes > 0 or RequestMethod == "POST")
| summarize AttemptCount=count() by SourceIP, RequestURL, DeviceAction
| where AttemptCount > 20
| order by AttemptCount desc
// Fortinet EMS SQL injection
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor == "Fortinet"
| where Activity has_any ("SQL", "injection", "exploit")
| summarize count() by SourceIP, DestinationIP, Activity
// Unauthorized SSL VPN config changes
AuditLogs
| where TimeGenerated > ago(30d)
| where OperationName has_any ("vpn.ssl.web.portal", "user.local")
| project TimeGenerated, InitiatedBy, OperationName, Result
LSASS Credential Dumping Detection
Detects credential harvesting via lsassy.py, secretsdump.py, and LSASS memory access patterns
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 10
| where TargetImage endswith "\lsass.exe"
| where GrantedAccess in ("0x1010", "0x1038", "0x1FFFFF")
| where SourceImage !endswith "\MsMpEng.exe"
and SourceImage !endswith "\csrss.exe"
and SourceImage !endswith "\svchost.exe"
| project TimeGenerated, Computer, SourceImage, GrantedAccess
// Python credential tools
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where FileName in ("python.exe", "python3.exe")
| where ProcessCommandLine has_any ("lsassy", "secretsdump", "wmiexec", "impacket")
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine
// Kerberoasting
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| where ServiceName != "krbtgt" and ServiceName !endswith "$"
| summarize count() by TargetAccount, ServiceName, IpAddress
| where count_ > 5
Unauthorized Remote Admin Tools
Detects AnyDesk, ScreenConnect, TightVNC, or PuTTY installations on unauthorized systems
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where FileName in~ ("AnyDesk.exe", "ScreenConnect.Client.exe",
"ScreenConnect.WindowsClient.exe", "tvnserver.exe",
"tvnviewer.exe", "putty.exe", "plink.exe")
| summarize ConnectionCount=count(),
FirstSeen=min(TimeGenerated),
LastSeen=max(TimeGenerated)
by DeviceName, FileName, AccountName
| order by ConnectionCount desc
// RMM service creation
SecurityEvent
| where EventID == 7045
| where ServiceName has_any ("AnyDesk", "ScreenConnect", "tvnserver")
| project TimeGenerated, Computer, ServiceName, ServiceFileName, Account
Security Tool Termination
Detects attempts to disable security tools using ProcessHacker, ProcTerminator, or service stop commands
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where FileName in~ ("ProcessHacker.exe", "ProcTerminator.exe",
"PCHunter.exe", "KillAV.exe")
| project TimeGenerated, DeviceName, AccountName, FileName, InitiatingProcessFileName
// Security process termination
DeviceEvents
| where TimeGenerated > ago(7d)
| where ActionType == "ProcessTerminated"
| where FileName in~ ("MsMpEng.exe", "MsSense.exe", "SentinelAgent.exe",
"CylanceSvc.exe", "CSFalconService.exe")
| project TimeGenerated, DeviceName, FileName, InitiatingProcessFileName
// Security service stops
SecurityEvent
| where EventID == 7036
| where ServiceName has_any ("Defender", "Endpoint", "Sentinel", "CrowdStrike")
| where ServiceState == "stopped"
| project TimeGenerated, Computer, ServiceName
Shadow Copy Deletion / Ransomware Execution
Detects shadow copy deletion, ransom note creation, .INC file encryption, and known INC binary indicators
// Ransom note creation
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName in ("INC-README.TXT", "INC-README.HTML")
| summarize NoteCount=count() by DeviceName
| order by NoteCount desc
// Mass .INC file extension
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName endswith ".INC"
| summarize EncryptedFiles=count() by DeviceName
| where EncryptedFiles > 10
// Shadow copy deletion
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where (FileName == "vssadmin.exe" and ProcessCommandLine has_all ("delete", "shadows"))
or (FileName == "wmic.exe" and ProcessCommandLine has_all ("shadowcopy", "delete"))
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine
// Known INC binary indicators
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where FileName == "win.exe"
or ProcessVersionInfoOriginalFileName has "INC Encryptor"
| project TimeGenerated, DeviceName, FileName, SHA256
Citrix/Fortinet Exploitation Detection
Detects exploitation attempts targeting Citrix NetScaler and Fortinet appliances used for INC initial access
title: INC Ransomware - Citrix/Fortinet Exploitation Indicators
id: inc-ransom-initial-access-001
status: experimental
description: Detects exploitation patterns targeting Citrix NetScaler and Fortinet products used by INC Ransom
author: Intruvent Technologies
logsource:
category: webserver
detection:
selection_citrix:
cs-uri-stem|contains:
- "/vpn/"
- "/gateway/"
sc-status|gte: 500
selection_fortinet:
cs-uri-stem|contains:
- "/api/v2/"
- "/FortiClientEMS/"
condition: selection_citrix or selection_fortinet
level: high
tags:
- attack.initial_access
- attack.t1190
LSASS Credential Dumping Detection
Detects credential harvesting via lsassy.py, secretsdump.py, and LSASS memory access patterns
title: INC Ransomware - Credential Dumping Tools
id: inc-ransom-creds-001
status: experimental
description: Detects lsassy.py, secretsdump.py execution and LSASS memory access used by INC for credential theft
author: Intruvent Technologies
logsource:
category: process_creation
product: windows
detection:
selection_python:
Image|endswith: "\python.exe"
CommandLine|contains:
- "lsassy"
- "secretsdump"
selection_lsass_access:
EventID: 10
TargetImage|endswith: "\lsass.exe"
GrantedAccess|contains:
- "0x1010"
- "0x1038"
condition: selection_python or selection_lsass_access
level: critical
tags:
- attack.credential_access
- attack.t1003
Unauthorized Remote Admin Tools
Detects AnyDesk, ScreenConnect, TightVNC, or PuTTY installations on unauthorized systems
title: INC Ransomware - Unauthorized Remote Management Tools
id: inc-ransom-rmm-001
status: experimental
description: Detects AnyDesk, ScreenConnect, TightVNC, PuTTY installations used by INC for persistent access
author: Intruvent Technologies
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- "\AnyDesk.exe"
- "\ScreenConnect.Client.exe"
- "\ScreenConnect.WindowsClient.exe"
- "\tvnserver.exe"
- "\tvnviewer.exe"
- "\putty.exe"
- "\plink.exe"
condition: selection
level: high
tags:
- attack.command_and_control
- attack.t1219
Security Tool Termination
Detects attempts to disable security tools using ProcessHacker, ProcTerminator, or service stop commands
title: INC Ransomware - Security Tool Termination
id: inc-ransom-defense-evasion-001
status: experimental
description: Detects ProcessHacker, ProcTerminator, or security service termination before INC encryption
author: Intruvent Technologies
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith:
- "\ProcessHacker.exe"
- "\ProcTerminator.exe"
- "\PCHunter.exe"
- "\KillAV.exe"
selection_service_stop:
EventID: 7036
param1|contains:
- "Defender"
- "Endpoint Protection"
- "SentinelOne"
- "CrowdStrike"
param2: "stopped"
condition: selection_tools or selection_service_stop
level: critical
tags:
- attack.defense_evasion
- attack.t1562.001
Shadow Copy Deletion / Ransomware Execution
Detects shadow copy deletion, ransom note creation, .INC file encryption, and known INC binary indicators
title: INC Ransomware - Shadow Copy Deletion and Execution Artifacts
id: inc-ransom-execution-001
status: experimental
description: Detects shadow copy deletion, INC ransom notes, and .INC file encryption activity
author: Intruvent Technologies
logsource:
category: process_creation
product: windows
detection:
selection_vssadmin:
Image|endswith: "\vssadmin.exe"
CommandLine|contains|all:
- "delete"
- "shadows"
selection_wmic:
Image|endswith: "\wmic.exe"
CommandLine|contains|all:
- "shadowcopy"
- "delete"
selection_ransom_note:
TargetFilename|endswith:
- "\INC-README.TXT"
- "\INC-README.HTML"
condition: selection_vssadmin or selection_wmic or selection_ransom_note
level: critical
tags:
- attack.impact
- attack.t1490
- attack.t1486
4
Indicators of Compromise
File Indicators
| Type | Value | Context |
|---|---|---|
| SHA256 | 63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7 |
Linux ELF variant (Source: Trend Micro) |
| SHA256 | a0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5 |
Linux ELF variant (Source: Trend Micro) |
| SHA256 | c41ab33986921c812c51e7a86bd3fd0691f5bba925fae612f1b717afaa2fe0ef |
Linux ELF variant (Source: Trend Micro) |
| SHA256 | 3dd6fab5ec9444ef7d2f4d2a744b3a4efa1420e346b47efae34145a2aa3b7508 |
Windows variant (Source: AlienVault OTX) |
| Extension | .INC |
Encrypted file extension |
| Ransom Note | INC-README.TXT |
Dropped in every directory during encryption |
| Ransom Note | INC-README.HTML |
Dropped in every directory during encryption |
| PDB Path | C:\source\INC Encryptor\Release\INC Encryptor.pdb |
Windows variant debug path (Source: Huntress) |
| Executable | win.exe |
Ransomware binary (Source: HvS-Consulting) |
| Executable | p443x64.exe |
Meterpreter dropper (Source: Secureworks) |
| Config File | include.txt |
Rclone exfiltration target list (Source: Huntress) |
| Scheduled Task | INC_Update |
Persistence mechanism (Source: ANY.RUN) |
Network Indicators
| Type | Value | Context |
|---|---|---|
| TOR Domain | inc-decrypt[.]onion |
Payment/negotiation portal (Source: ANY.RUN) |
Tool Indicators
| Tool | Category | Context |
|---|---|---|
AnyDesk |
Remote Access | Persistent remote access (Source: Microsoft, Huntress, ReliaQuest) |
ScreenConnect |
Remote Access | Persistent remote access (Source: Microsoft) |
TightVNC |
Remote Access | Persistent remote access (Source: Huntress) |
lsassy.py |
Credential Tool | LSASS memory dumping (Source: Huntress) |
secretsdump.py |
Credential Tool | Impacket credential dumping (Source: ReliaQuest) |
ProcessHacker |
Defense Evasion | Security process termination (Source: Trend Micro) |
ProcTerminator |
Defense Evasion | HackTool.Win32.ProcTerminator.A (Source: Trend Micro) |
MEGASync |
Exfiltration | Cloud exfiltration (Source: Trend Micro) |
Rclone |
Exfiltration | Cloud exfiltration with include.txt (Source: Huntress) |
Restic |
Exfiltration | Backup utility for covert exfiltration (Source: ReliaQuest) |
netscan.exe |
Reconnaissance | Network scanning (Source: Secureworks) |
AdFind.exe |
Reconnaissance | Active Directory enumeration (Source: Huntress) |
PsExec |
Lateral Movement | Ransomware deployment (Source: Secureworks) |
Behavioral Indicators
| Behavior | Detection Logic |
|---|---|
| Mass file extension change to .INC | File modify events with .INC extension at high volume (>10 per host) |
| Ransom note deployment | INC-README.TXT/HTML creation in multiple directories |
| Shadow copy deletion | vssadmin.exe or WMIC shadow delete commands |
| RMM tool on servers | AnyDesk/ScreenConnect/TightVNC on server-class hosts |
| Reconnaissance burst | netscan.exe, AdFind.exe execution on non-admin workstations |
| Credential dumping | lsassy.py, secretsdump.py or LSASS memory access |
| Data exfiltration | MEGASync, Rclone, Restic on server-class hosts |
| Scheduled task persistence | INC_Update task creation (Event ID 4698) |
Important Note on Hash-Based Detection
Because each INC locker may contain a victim-specific ID, file hashes are not reliably reusable across incidents. Prioritize behavioral indicators for detection rather than relying solely on hash matching. (Source: ANY.RUN)
Track INC Ransomware with BRACE
BRACE delivers monthly sector-specific threat intelligence covering INC Ransomware and other ransomware-as-a-service threats with detection rules and hunting playbooks.
Learn About BRACE