Defending Against INC Ransomware: Essential Protections for Healthcare Providers

Recent reports from the threat intelligence landscape highlight a disturbing trend: the INC ransomware group has successfully targeted healthcare entities across Oceania. Government agencies, emergency clinics, and hospitals in Australia, New Zealand, and Tonga have faced severe disruptions due to this prolific encryption-based campaign.

For defenders, this is a stark reminder that the healthcare sector remains a prime target for cybercriminals leveraging encryption to hold critical services hostage. This post outlines the technical nature of the threat and provides actionable detection and remediation strategies.

Technical Analysis

The INC ransomware group operates as a Ransomware-as-a-Service (RaaS) operation, known for aggressive encryption tactics and double-extortion schemes. In the recent incidents across Oceania, the group has demonstrated the ability to penetrate networks, likely through initial access vectors such as:

• Exploited Vulnerabilities: Unpatched VPNs or external-facing services (common in remote healthcare administration).
• Phishing Campaigns: Targeted emails impersonating medical vendors or government bodies.

Once inside the network, INC ransomware engages in lateral movement to locate high-value servers, including Electronic Health Records (EHR) systems. The malware then executes a robust encryption routine on Windows and Linux systems, rendering data inaccessible. The severity is classified as CRITICAL for healthcare providers due to the potential impact on patient care and data privacy.

Defensive Monitoring

To detect the presence of INC ransomware or similar encryption-based threats, security teams should monitor for specific process execution patterns and file system anomalies. The following queries can aid in early detection within Microsoft Sentinel or Defender.

KQL Queries for Microsoft Sentinel

Query 1: Detect Ransomware Precursor Activity (Shadow Copy Deletion) This query identifies processes often used to delete Volume Shadow Copies, a common step in ransomware deployment to prevent recovery.

DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName in~ ("vssadmin.exe", "wbadmin.exe", "wmic.exe")
| where ProcessCommandLine contains_all ("delete", "shadow", "copy")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName


**Query 2: Detect Mass File Encryption Patterns**

Monitoring for rapid file modifications or creation of encrypted files with specific extensions often used by INC.

DeviceFileEvents
| where Timestamp > ago(2h)
| where ActionType == "FileCreated"
| where FileName endswith ".inc" or FileName endswith ".encrypted"
| summarize count() by DeviceName, bin(Timestamp, 5m)
| where count_ > 50
| join kind=inner (DeviceFileEvents) on DeviceName
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

PowerShell Script for Audit

Script: Verify RDP Security Configuration Since INC often spreads via compromised credentials, ensure RDP is hardened. Run this to check the Network Level Authentication (NLA) requirement.

# Check NLA status for RDP
$NLAStatus = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired

if ($NLAStatus -eq 1) {
    Write-Host "[+] NLA is Enabled on this host." -ForegroundColor Green
} else {
    Write-Host "[!] WARNING: NLA is Disabled. RDP is vulnerable to credential attacks." -ForegroundColor Red
}

Remediation

If an organization suspects compromise or wishes to harden defenses against INC ransomware, the following steps must be taken immediately:

1. Isolate Affected Systems: Immediately disconnect infected machines from the network and Wi-Fi to prevent lateral movement to other clinical systems.
2. Verify Backups: Ensure offline, immutable backups are available. Test the restoration process for EHR systems in an isolated environment.
3. Patch Management: Prioritize patching critical vulnerabilities in external-facing assets, specifically VPN concentrators and remote access tools.
4. Disable Unused RDP: If Remote Desktop Protocol is not essential for business operations, disable it. If required, enforce Multi-Factor Authentication (MFA) and place it behind a VPN gateway.
5. Review Privileged Access: Audit accounts with Domain Admin rights. INC ransomware requires high privileges to encrypt network shares effectively.
6. Implement Application Control: Use allow-listing (e.g., AppLocker) to prevent the execution of unknown binaries in sensitive directories like C:\Windows\Temp.

By maintaining strict segmentation and monitoring for the precursor activities listed above, healthcare providers can significantly reduce the risk of falling victim to INC ransomware operations.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub