What Is Inc. Ransomware?

Inc. ransomware is a ransomware extortion operation that emerged in July of 2023. Operators of Inc. ransomware position themselves as a service to their victims. Victims can then pay the ransom to ‘save their reputation’ though the threat actors indicate their intention to reveal their methods, making the victim’s environment ‘more secure’ as a result. Inc. ransomware is a multi-extortion operation, stealing victim data and threatening to leak said data online should the victim fail to comply with their demands.

What Does Inc. Ransomware Target?

Inc. ransomware operators target multiple industries with little to no discrimination. This includes attacks on healthcare, education, and government entities. As of this writing, there are seven victims listed on the Inc. ransomware TOR-based blog; two of which are in the healthcare industry. Targets in the technology industry are listed as well.

How Does Inc. Ransomware Work?

Initial access can vary. Observed methods include spear-phishing email as well as targeting of vulnerable services. This includes the exploitation of CVE-2023-3519 in Citrix NetScaler. Once the threat actor has gained initial access, a variety of COTS (Commercial off the Shelf) or LOLBINs are utilized to continue internal reconnaissance and lateral movement. Tools associated with Inc. ransomware operations include:

  • NETSCAN.EXE – Multi-protocol network scanner and profiler
  • MEGAsyncSetup64.EXE – Desktop application for MEGA file sharing/synchronization/cloud services
  • ESENTUTL.EXE – Microsoft utility for database management and recovery
  • AnyDesk.exe – Remote management/Remote Desktop

Inc. ransomware payloads support multiple command-line arguments.

Commands supported by Inc. ransomware include:


Argument Function
–file Target a file directly for encryption (path)
–dir Target a directory for encryption (path)
–sup Stop using process
–ens Encrypt network shares
–lhd Local hidden drives (encrypt hidden boot and recovery volumes)

Note: When used, this will result in a non-bootable device.

–debug Output console-style debug logging


If the threat actor omits the use of command-line arguments, the payload will simply attempt to encrypt the local device including all available volumes and files.

Inc. ransomware ransom notes are written to each folder containing encrypted items. Copies of the ransom notes are written in both .TXT and .HTML format as “INC-README.TXT” and “INC-README.HTML”, respectively. The payloads will also attempt to output the HTML-formatted note to any connected and accessible printers or fax machines.

In addition, the ransomware appears to attempt to delete Volume Shadow Copies (VSS) although we were not able to reproduce this behavior in our testing.

Inc. ransomware victims are instructed to contact the attackers via their TOR-based portal. Each victim is assigned a personal ID within their ransom notes which they are to use upon visiting the payment site.

The following debug strings are present in analyzed samples of Inc. ransomware payloads.

C:\source\INC Encryptor\Release\INC Encryptor.pdb

How to Detect Inc. Ransomware

The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to Inc. ransomware.

In case you do not have SentinelOne deployed, detecting Inc. ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.

To detect Inc. ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which includes the following steps:

  1. Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
  2. Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.
  3. Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
  4. Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
  5. Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.

How to Mitigate Inc. Ransomware

The SentinelOne Singularity XDR Platform can return systems to their original state using either the Quarantine or Repair.

In case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of Inc. ransomware attacks:

Educate employees: Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.

Implement strong passwords: Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.

Enable multi-factor authentication: Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.

Update and patch systems: Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.

Implement backup and disaster recovery: Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location. The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.