INC Ransomware Opsec Fail Allowed Data Recovery for 12 US Orgs

The INC ransomware operation, a ransomware‑as‑a‑service platform that surfaced in 2023, has increasingly leveraged legitimate utilities like Restic to stage data exfiltration. While the tool is designed for secure backups, the gang’s misuse left behind configuration files, access keys, and repository paths within the victim environment. This operational security oversight created a forensic breadcrumb trail that allowed Cyber Centaurs to map the attacker’s storage infrastructure, a rare glimpse into the backend of a RaaS campaign that typically remains opaque.

The discovery that the same Restic‑based repositories housed encrypted payloads from twelve distinct organizations underscores a broader risk: ransomware actors often retain stolen data on long‑lived cloud storage to pressure victims into payment. By developing a non‑destructive enumeration method, the researchers proved that these repositories can be accessed and decrypted without paying a ransom, offering a template for incident responders to reclaim data and involve law enforcement. The ability to recover victim files not only mitigates operational disruption but also erodes the financial incentive for ransomware groups that rely on data hostage leverage.

In response, the security community now has actionable detection assets: YARA signatures for renamed Restic binaries and Sigma rules for suspicious PowerShell execution patterns. Organizations should monitor for unexpected Restic processes, especially when launched from atypical directories like PerfLogs, and enforce strict credential hygiene for cloud storage services. As ransomware operators adapt, continuous threat‑intel sharing and proactive hunting become essential to pre‑empt similar operational lapses and protect critical data assets.