Twelve US companies hit by the INC ransomware group were able to recover encrypted data after a cybersecurity firm discovered the cloud storage infrastructure where the gang stockpiled what it stole.
Researchers at Florida-based Cyber Centaurs said Thursday they took advantage of a lapse in operational security by the gang: They found artifacts left behind by Restic, an legitimate open source backup utility the gang uses to encrypt and exfiltrate victim data into cloud storage environments it controls. Assuming the gang regularly re-uses Restic-based infrastructure led to finding an unnamed cloud storage provider where stolen data was dumped.
Unfortunately, Andrew von Ramin Mapp, Cyber Centaurs’ managing principal, admits that his firm’s work likely was no more than an “inconvenience” to the gang, because it can easily rent new cloud infrastructure.
But, he said, there are lessons for CSOs and infosec leaders from its efforts:
- scrutinize and audit your backups. If you have a regular backup schedule, is there unexpected or unexplained activity? Von Ramin Mapp notes that crooks are known to time data exfiltration to match corporate off-site backups as a way to hide their work;
- monitor for encrypted data leaving your environments and see where it goes. Does this data go to an unexpected IP address?
- make sure backup software and servers are updated as soon as patches are released. Crooks take advantage of unpatched software of any kind, including backup applications.
“Probably very few” infosec leaders realize that their own backup software is used against them, von Ramin Mapp said.
According to Trend Micro, the INC gang emerged in July 2023. A Linux version of its ransomware binary was seen five months later. A common tactic in its early years was to leverage vulnerabilities in Citrix Netscaler ADC and Netscaler Gateway, and researchers at Check Point Software also say the gang uses spear-phishing campaigns to capture user credentials. According to Cyber Centaurs, in smaller or flatter networks, INC operators often rely on Restic for data exfiltration prior to encryption; in larger or more complex environments, the gang favors using the backup infrastructure, such as Veeam, that’s already in place.
Cyber Centaurs was called in when a US customer’s endpoint detection and response software alerted it to an active ransomware execution on a production SQL Server. The process was quickly isolated, and it was found to be the RainINC variant.
Looking deeper, though, investigators found that multiple systems contained traces of Restic, which included renamed binaries, PowerShell scripts staging Restic execution to an S3-style cloud bucket infrastructure, repository configuration variables, and file-list driven backup commands.
While Restic wasn’t used for exfiltration in this particular attack, Cyber Centaurs suspected the gang regularly used it, based on patterns seen in other incidents. It also suspected the infrastructure the crooks used was unlikely to be dismantled even after negotiations ended or payments were made by corporate victims.
With that in mind, the incident response team developed a custom enumeration script to identify certain patterns that identify S3-style cloud bucket infrastructure that the stolen data might be going to. The script ran through a curated list of candidate repository identifiers derived from previously observed Restic artifacts. For each candidate, environment variables were set to match the configuration style used by the threat actor, including the repository endpoint and encryption password. Restic was then instructed to list available snapshots in a structured format, enabling investigators to analyze results without interacting with the underlying data.
The script explicitly avoided any operation that could alter a suspect repository or be interpreted as destructive. What the researchers did conduct was forensic enumeration, not intrusion, Cyber Centaurs stresses.
“The repositories were accessed using the attacker’s own tooling and configuration semantics, without exploitation, modification, or disruption,” its report says. “By treating the attacker’s infrastructure as evidentiary material rather than a target, investigators were able to safely validate the hypothesis of persistent, multi-victim storage, and lay the groundwork for what would become a rare and large-scale data recovery effort.”
What it discovered were stolen datasets belonging to 12 unnamed and unconnected firms hit in separate INC ransomware attacks. While the data was encrypted, Cyber Centaurs could use Restic for decryption because it was the encryption vehicle. Then it contacted law enforcement agencies to validate the stolen data’s source.
The report includes indicators of compromise and tools used by INC, including AnyDesk, a remote access application.
The report also notes that threat actors abusing Restic often rename the binary (for example, to winupdate.exe) and rely on legitimate execution paths to avoid suspicion. A simple and effective detection technique is to look for Restic execution outside expected backup contexts, especially from system directories or user-writable locations, and to pair that with known hashes where available.
Jon DiMaggio, head of XFIL Cyber and a specialist in ransomware attacks, said that what’s significant in this investigation isn’t just that stolen data from 12 companies was recovered, but that researchers exposed how ransomware groups reuse infrastructure across multiple victims. “Most ransomware incidents end once you contain the encryption and restore systems,” he said in an email. “This case shows the real value is in following the attacker’s operational patterns to find what they left behind. It’s a reminder that ransomware is a business model, not one-off attacks, and that means there are opportunities to disrupt it at scale.”
Defenders shouldn’t count on lapses like the one made by INC to rescue them from attacks, however. In its report, Cyber Centaurs says this was an opening “that would not normally exist in a typical ransomware response.” But, it adds, if there are mistakes, defenders may be able to capitalize on them.
In an interview, von Ramin Mapp cautioned that lowering the risk of being hit by ransomware isn’t easy. Attackers will respond to every tactic defenders use, he said. It will help, he noted, if victim firms refuse to pay ransoms and thus take away the financial reward gang depend on.
“One thing I often recommend to organizations,” he added, “is to have a baseline of the read and write output on your servers and network shares. If ransomware is being deployed, you will see a drastic increase in these cycles.”