The healthcare sector across Oceania is currently navigating a perilous threat landscape. Recent intelligence confirms that the INC Ransomware group has set its sights on critical health infrastructure, specifically targeting government agencies, emergency clinics, and healthcare providers in Australia, New Zealand, and Tonga. This isn't just a data breach; it is a direct attack on the continuity of patient care.
For a managed security firm like Security Arsenal, this campaign is a stark reminder of the volatility facing the healthcare vertical. Ransomware groups like INC are evolving, moving beyond opportunistic attacks to calculated, targeted operations against organizations where downtime has life-or-death consequences.
The INC Ransomware Profile
INC Ransomware emerged as a formidable player in the threat landscape around early 2023. Known for their aggressive double-extortion tactics, they encrypt sensitive data and threaten to leak it if the ransom is not paid. Their transition into targeting the Oceania region suggests a strategic shift towards sectors that are historically perceived as vulnerable due to legacy systems and high operational uptime requirements.
Analysis: Tactics, Techniques, and Procedures (TTPs)
Understanding the mechanics of the INC group is essential for defense. While they utilize a variety of entry vectors, their operations typically follow a predictable lifecycle:
1. Initial Access and Reconnaissance
INC Ransomware actors frequently gain initial access through exposed vulnerabilities in external-facing services, such as unpatched VPN appliances (Fortinet, Citrix) or compromised credentials obtained via phishing campaigns. Once inside, they perform extensive reconnaissance to map the network and identify high-value targets, such as Electronic Health Records (EHR) systems.
2. Lateral Movement and Persistence
To move laterally, the group leverages remote management tools like AnyDesk, ScreenConnect, or RDP, often exploiting weak permissions or lack of multi-factor authentication (MFA). They establish persistence by creating scheduled tasks or modifying registry keys to ensure their malicious payloads survive system reboots.
3. Data Exfiltration
Before detonating the encryption payload, INC actors engage in extensive data theft. They often commandeer legitimate administrative tools, such as Rclone or Mega, to exfiltrate large volumes of sensitive patient data to cloud storage services. This "double extortion" maximizes their leverage over the victim.
4. Impact and Encryption
The encryption phase is designed to cause maximum disruption. They disable security solutions and backup agents before encrypting files, often appending extensions or leaving ransom notes in every directory.
Detection and Threat Hunting
Defending against this requires proactive hunting. Below are specific queries and scripts to identify suspicious activity associated with INC Ransomware TTPs.
Hunting for Data Exfiltration Tools (KQL)
INC actors frequently use Rclone for exfiltration. Use this KQL query in Microsoft Sentinel to detect processes that match this behavior.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "rclone.exe" or ProcessCommandLine contains "rclone"
| where InitiatingProcessFileName !in ("explorer.exe", "cmd.exe", "powershell.exe") or ProcessCommandLine contains "config" and ProcessCommandLine contains "sync"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc
Detecting Suspicious Scheduled Tasks (PowerShell)
Ransomware groups often use Scheduled Tasks for persistence. This PowerShell script hunts for tasks created by non-system accounts or with suspicious commands.
# Get scheduled tasks created in the last 24 hours
$Date = (Get-Date).AddDays(-1)
Get-ScheduledTask | Where-Object {
$_.Date -ge $Date -and
$_.Author -notmatch "Microsoft|NT AUTHORITY|SYSTEM|Administrators"
} | ForEach-Object {
$TaskInfo = $_
$Action = $_.Actions.Execute
if ($Action) {
[PSCustomObject]@{
TaskName = $TaskInfo.TaskName
Author = $TaskInfo.Author
Created = $TaskInfo.Date
Execute = $Action
Arguments = $_.Actions.Arguments
}
}
}
Checking for Common Ransomware Extensions (Bash)
On Linux environments within mixed infrastructure, you can scan for files that may have been encrypted by bulk renaming operations typical of ransomware.
# Scan /var/www and /home directories for files with common ransomware extensions
find /var/www /home -type f \( -name "*.INC" -o -name "*.locked" -o -name "*.enc" \) 2>/dev/null | head -n 20
Mitigation Strategies
To protect healthcare environments from INC Ransomware, we recommend the following actionable measures:
- Strict Network Segmentation: Ensure that EHR systems and medical devices are isolated from the general corporate network and the internet. Containment is the last line of defense against lateral movement.
- Patch External-Facing Assets Immediately: Prioritize patching VPN appliances and remote access gateways. INC groups are known to scan for and exploit known CVEs within hours of public disclosure.
- Disable Unused RDP Ports: Close Port 3389 externally and require VPN access with MFA for any internal remote desktop needs.
- Implement Least Privilege: Restrict administrative credentials. If an INC actor compromises a standard user account, they should not be able to install software or traverse the entire network.
- Offline Backups: Ensure your backup strategy includes immutable, offline copies of critical patient data. This is the only sure way to recover from a double-extortion event without paying.
The healthcare sector in Oceania is under siege. By understanding the TTPs of the INC Ransomware group and deploying robust detection mechanisms, security teams can stay one step ahead of these adversaries.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.