INC Ransomware Gang Infiltrates Hungarian Defense Network

Published on
November 18, 2024

The Hungarian government confirmed a cyberattack on its defense procurement agency, revealing on November 14, 2024, that foreign non-state actors breached its systems.  

Although the government stated no sensitive data was compromised, the contracts accessed contained details about the Hungarian Army’s air and land capabilities, Army Technology reports.  

The attack was attributed to INC Ransomware, an extortion group active since July 2023, which demanded $5 million before leaking screenshots of the data on the dark web.

While officials downplayed the sensitivity of the compromised data, cybersecurity expert Akhil Mittal from Black Duck noted its strategic value.  

“Even routine procurement details can provide insights into future defense capabilities and financial strategies,” Mittal explained.  

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, INC is a ransomware group that emerged in mid-2023, presents a complex operational profile. It remains unclear whether they function as a Ransomware-as-a-Service (RaaS) platform with affiliates or as a closed, internally managed group.  

They employ well-known tactics, techniques, and procedures (TTPs), including the use of compromised Remote Desktop Protocol (RDP) credentials for initial access and lateral movement. Initial infections are often traced to phishing campaigns or exploitation of the Citrix NetScaler vulnerability (CVE-2023-3519).

Despite their criminal activities, INC Ransom brands itself as a "moral agent," claiming to help victims identify cybersecurity weaknesses, a narrative that adds nuance to their motives.  

They deploy ransomware using Living-off-the-Land (LOTL) techniques, leveraging legitimate tools such as WMIC, PsExec, and common applications like MSPaint, Notepad, and AnyDesk for lateral movement. For reconnaissance, they use tools like Esentutl and MegaSync for data exfiltration, hinting at a strategic use of cloud services.

The ransomware, written in C++, employs AES-128 encryption in CTR mode, with a Linux variant also reported. They may delete Volume Shadow Copies (VSS) to complicate recovery and encryption rollback, showcasing a degree of sophistication.  

INC Ransom uses double extortion tactics, threatening to publish stolen data if victims do not comply. Their leak site serves as a platform to follow through on these threats.

Targeting industries ranging from education and IT to manufacturing and the public sector, INC Ransom has escalated its attack frequency into early 2024, underscoring the growing threat of this adaptable and aggressive group.

Notable victims include Peruvian Army, NHS Scotland, Xerox, Trylon Corp, BPG Partners Group, DM Civil, Nicole Miller INC., Pro Metals, Springfield Area Chamber of Commerce, US Federal Labor Relations Authority, Yamaha Philippines, and Rockford Public Schools.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.