Inc Ransomware Encryptor Contains Keys to Victim Data Recovery

The Inc ransomware collective, which just disrupted a major Michigan healthcare network, is using an encryptor that may hold the key to recovering from its worst attacks.

Where once ransomware groups claimed moral high ground, they are increasingly targeting critical healthcare facilities. The latest salvo: Inc's attack on McLaren Health Care, a multibillion-dollar network of hospitals, physicians' practices, insurance plans, and more, in and around Michigan, Indiana, and Ohio. The attack interrupted McLaren's IT and phone systems, with hospitals and outpatient clinics triggering "downtime procedures." Among other things, this involved rescheduling some nonemergency appointments, tests, and treatments, and asking patients to bring in physical, printed copies of their test results, imaging, and other information critical to their care.

McLaren did not initially say whether any patient or employee information had been compromised, but an employee from one of its hospitals leaked a printed ransom note indicating that the Inc ransomware group was holding its data hostage. Dark Reading has reached out to McLaren for an update.

Interestingly, Inc victims do have a degree of recourse available to them in the hours after an attack. In a newly published report, GuidePoint Security describes how it can interpret data leaked from Inc's encryptor in order to make clean, successful decryption more likely.

What Inc's Encryptor Tells Us

Inc may have locked up McLaren's files using its encryptor that masks itself as a system file — named "win.exe" or "windows.exe" on Windows systems, or "lin" for its Linux variant.

Newly Inc-encrypted files earn an 80-byte footer, which actually leaks a great deal of information about the nature of the encryption process, including the degree and pattern of encryption. Victims can use this information to make informed decisions about how to engage with the threat actor.

For example, the footer leaks whether the file was encrypted "Fast," "Medium," or "Slow." If Inc goes in fast, it will only encrypt the first, middle, and last megabyte of a file. A slower encryption, by contrast, will encrypt all the contents of a file. If the last 16 bytes of the footer indicate that a file was encrypted quickly, victims can likely go most of the way to recovering a file even without Inc's decryptor, simply by using commercial forensic tools.

On the other hand, if a file has been encrypted and appended with a .inc tag, but lacks that 80-byte footer, it has been corrupted, and will not be recoverable, even using Inc's decryptor.

"Anytime you're obtaining a decryptor, make copies of the impacted files, and before you're running that decryptor, take a look at some of these footer values, because some of them you may be able to know right off the bat: We're not going to be able to get this back," Jason Baker, threat intelligence consultant for GuidePoint Security recommends. "For others, you may be able to know right off the bat: I'm going to have to decrypt this more than once. Or you may find out that the vast majority of the data itself is not actually fully encrypted, which gives you a great opportunity for recovery even without a decryptor."

What's Changed in Healthcare Attacks

"Formerly it was considered taboo for a ransomware organization to attack and encrypt healthcare organizations. What we've seen a lot in the last year is a gradual erosion of those norms," Baker says.

In the past, groups like LockBit and BlackCat/AlphV would claim they banned affiliates from attacking healthcare organizations, and kicked them out if they did. That's no longer part of the calculus, and Inc is the perfect case in point. Its most commonly targeted industries, says Baker, are precisely those which some ransomware groups previously avoided: healthcare, education, nonprofits.

"The first reason for that is recent disruptions really ticked off a lot of the big players — whether it be Operation Cronos with LockBit, or AlphV taking the bag and running with their exit scam. It really shifted how some people looked at victims," he explains.

"The second reason that I see frequently cited is the Change Healthcare attack from earlier this year," Baker adds. "There's been a lot of speculation about [attackers noticing] how profitable that was."