A rare break in a ransomware gang’s operational security has helped several US companies recover encrypted data after investigators traced where the stolen files were being stored.
Florida-based cybersecurity firm Cyber Centaurs said it recovered data for 12 US companies targeted by the INC ransomware group after finding cloud storage infrastructure the gang used to stockpile stolen information. The discovery came after researchers identified artifacts linked to Restic, a legitimate open-source backup tool the gang uses to encrypt and exfiltrate victim data into cloud environments it controls.
Cyber Centaurs said it found Restic traces and assumed the gang regularly reused Restic-based infrastructure. That led to an unnamed cloud storage provider where stolen data had been dumped. Managing principal Andrew von Ramin Mapp said the effort may only have been an “inconvenience” for INC because the gang can easily rent new infrastructure.
He said the incident offers key takeaways for security leaders: scrutinize and audit backups for unexpected activity; monitor for encrypted data leaving environments and check if it is going to an unexpected IP address; and keep backup software and servers patched. “Probably very few” infosec leaders realize their own backup tools can be used against them, he said.
According to Trend Micro, INC emerged in July 2023, and a Linux ransomware version appeared 5 months later. Early tactics included exploiting vulnerabilities in Citrix Netscaler ADC and Netscaler Gateway. Check Point Software researchers have also linked the gang to spear-phishing to steal credentials. Cyber Centaurs said INC often uses Restic for exfiltration in smaller networks, but in larger environments it may use existing backup infrastructure such as Veeam.
Cyber Centaurs was engaged after a US customer’s endpoint detection and response tool flagged active ransomware execution on a production SQL Server. The process was isolated, and the variant was identified as RainINC. Investigators then found Restic traces across multiple systems, including renamed binaries, PowerShell scripts staging runs to an S3-style cloud bucket, repository variables, and file-list backup commands.
The team built a custom enumeration script to identify S3-style bucket patterns without altering any repository. “The repositories were accessed using the attacker’s own tooling and configuration semantics, without exploitation, modification, or disruption,” the report said. The researchers found encrypted datasets tied to 12 separate INC victims. Because Restic was used as the encryption vehicle, they used it for decryption, then contacted law enforcement to validate the data sources.
The report also lists tools used by INC, including AnyDesk, and notes actors often rename Restic (for example, winupdate.exe) to blend in. A suggested detection method is spotting Restic running outside expected backup contexts.
Ransomware specialist Jon DiMaggio said the case shows how gangs reuse infrastructure across victims and how tracking operational patterns can create chances to disrupt attacks at scale. Cyber Centaurs warned defenders should not expect such lapses, but said mistakes can sometimes be exploited. Von Ramin Mapp also urged firms to baseline read/write activity on servers and network shares, noting ransomware deployments create sharp spikes.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
