INC Ransomware: The Latest Linux Threat

Overview

This week, the SonicWall Capture Labs Research team analyzed a new sample of Linux ransomware. The group behind this ransomware, called INC Ransomware, has been active since it was first reported a year ago.

Infection Cycle

The malware is a Linux executable in ELF file format. A quick inspection of its strings revealed command-line arguments that can be passed to this ELF file.

Figure 1: List of Command Line Arguments

Upon execution with the identified parameters, the malware appends “INC” to the names of encrypted files.

Figure 2: Debug Output Using the –debug Option

Figure 3: Encrypted files with “INC” appended file extension

The malware also creates a file named “kill,” a shell script using the esxcli utility available in VMWare ESXi to list and kill all virtual machine processes if running in an ESXi environment. Since our analysis was not conducted in such an environment, this command resulted in an error as the utility was not found.

Figure 4: Content of the “kill” and delete scripts

Another file created is “delete,” which is a shell script using the ESXi command-line utility vim-cmd to delete all available virtual machines.
Copies of ransom notes were dropped in directories where files were encrypted, consistent with other ransomware behavior.

Figure 5: Contents of “Inc_readme.html” Ransom note

The parameter ‘–motd’ also changed the message of the day (MOTD) on the infected machine to display the ransom note message upon successful login.

Figure 6: Message of the Day shows ransom note message

Visiting the URL in the ransom note led to a blog site listing all supposed victims.

Figure 7: INC Ransom blog site

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: LinuxINC.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

For further details, visit the official man page for MOTD.

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Source: Original Post

MITRE TTP

T1059.004: Command and Scripting Interpreter: Unix Shell The INC Ransomware uses Unix shell scripting for its malicious activities. It creates shell scripts named “kill” and “delete” to terminate and delete virtual machines if running in an ESXi environment, utilizing esxcli and vim-cmd commands, respectively.

T1486: Data Encrypted for Impact The ransomware encrypts files on the infected Linux machine, appending “INC” to the file names. This technique ensures that the data is rendered unusable without the decryption key.

T1070.004: Indicator Removal on Host: File Deletion INC Ransomware uses shell scripts to delete virtual machines in an ESXi environment. This behavior helps in removing traces of its activity and hindering recovery efforts.

T1491.001: Defacement: Internal Defacement The ransomware modifies the Message of the Day (MOTD) on infected systems to display the ransom note upon login, indicating its presence and demanding ransom.

T1498: Network Denial of Service The ransomware can potentially cause a denial of service by killing virtual machine processes, leading to significant disruption in virtualized environments.