Back to Intelligence

INCRANSOM Gang: Surge in Agriculture & Manufacturing Targets — Detection Engineering & IOCs

SA
Security Arsenal Team
July 17, 2026
7 min read

Operational Model: INCRANSOM operates as a closed-group operation rather than a traditional RaaS affiliate model, allowing for tighter operational security and more controlled, targeted attacks.

Tactics & Techniques: The group is known for aggressive double-extortion tactics, exfiltrating sensitive data—specifically financial records, customer databases, and intellectual property—prior to encryption to leverage pressure on victims.

Ransom Demands: Demands vary significantly based on victim revenue but typically range from $500,000 to $5 million. They are known to negotiate aggressively but will leak data if deadlines are missed.

Initial Access: INCRANSOM frequently leverages exposed VPN appliances and firewall management interfaces. Recent intelligence indicates a shift toward exploiting specific CVEs in perimeter security devices (Check Point, Cisco) rather than traditional phishing or RDP brute-forcing, though valid credentials obtained via info-stealers are still used.

Dwell Time: The average dwell time is estimated to be 3–7 days, during which they conduct extensive reconnaissance and data staging before detonating encryption.

Current Campaign Analysis

Targeted Sectors: The recent wave of postings indicates a strategic pivot toward Agriculture and Food Production (40% of recent victims) and Manufacturing (20%). This suggests the group is targeting supply chain entities with high operational uptime requirements.

  • Agriculture/Food: V&P Nurseries (US), pokka.co (SG), vedan corp (VN).
  • Manufacturing: D.MAG New Material (TW), Kyokuto Kaihatsu Kogyo (JP).
  • Other Targets: Technology, Business Services, and Financial Services (State Bank of Nauvoo).

Geographic Concentration: The campaign is highly globalized, bypassing typical Western-centric targets to hit significant entities in Southeast Asia (VN, SG, TW, PH) and Africa (ZA), alongside US and UK victims. This broad spread suggests opportunistic scanning for the specific CVEs listed below rather than geo-political targeting.

Victim Profile: Victims range from mid-sized businesses (e.g., local nurseries) to large multinational corporations (e.g., Pokka, Vedan Corp). The commonality is reliance on legacy or internet-facing perimeter infrastructure.

CVE Correlation: This campaign strongly correlates with the exploitation of CVE-2026-50751 (Check Point Security Gateway) and CVE-2026-20131 (Cisco Secure Firewall FMC). Given the high percentage of technology and manufacturing victims, it is highly probable INCRANSOM is scanning for unpatched perimeter security appliances to establish a foothold. The continued presence of CVE-2024-1708 (ConnectWise ScreenConnect) suggests they also exploit remote management tools when available.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Check Point IKEv1 Exploitation Attempt
description: Detects potential exploitation of CVE-2026-50751 involving IKEv1 key exchange anomalies or improper authentication attempts on Check Point Security Gateways.
references:
  - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/07/18
status: stable
logsource:
  product: firewall
  definition: 'Check Point Security Gateway logs'
detection:
  selection:
    product|contains: 'Check Point'
    action|contains: 'key_exchange'
    protocol|contains: 'IKEv1'
  filter_main:
    error_message|contains:
      - 'authentication failure'
      - 'invalid cookie'
      - 'payload malformed'
  condition: selection and filter_main
falsepositives:
  - Misconfigured VPN clients
  - Legitimate failed authentication attempts
level: high
tags:
  - attack.initial_access
  - cve.2026.50751
  - incransom

---
title: Suspicious PowerShell Encoded Command Length
description: INCRANSOM often uses heavily obfuscated PowerShell commands for lateral movement and defense evasion. This rule detects long encoded commands typical of their obfuscation techniques.
references:
  - Internal Telemetry
author: Security Arsenal Research
date: 2026/07/18
status: experimental
logsource:
  product: windows
  service: powershell
detection:
  selection:
    EventID: 4104
  condition: selection and length(CommandLine) > 1000
falsepositives:
  - Administrative scripts
level: high
tags:
  - attack.execution
  - attack.defense_evasion
  - incransom

---
title: Large Scale File Deletion Potential Ransomware
description: Detects bulk file deletion or overwriting actions often performed by INCRANSOM prior to encryption or during data wiping phases.
references:
  - Ransomware behavior analysis
author: Security Arsenal Research
date: 2026/07/18
status: stable
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4660 # An object was deleted
      - 4663 # An object was accessed (specifically write/delete)
    ObjectType: 'File'
  condition: selection | count() by TargetFileName > 50
timeframe: 1m
falsepositives:
  - Legitimate bulk file operations by administrators
level: critical
tags:
  - attack.impact
  - incransom

KQL (Microsoft Sentinel)

Hunts for lateral movement and staging activities associated with INCRANSOM's playbook, focusing on SMB and PsExec usage.

KQL — Microsoft Sentinel / Defender
// Hunt for INCRANSOM lateral movement indicators
let TimeFrame = ago(7d);
DeviceProcessEvents
| where Timestamp > TimeFrame
// Identify PsExec or WMI execution often used for lateral spread
| where ProcessName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe")
| where ProcessCommandLine has "-node" or ProcessCommandLine has "/node:" or ProcessCommandLine has "Invoke-Command"
// Look for connection to internal IPs (non-local)
| extend RemoteIP = extract(@'\[?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\]?', 1, ProcessCommandLine)
| where isnotempty(RemoteIP) and RemoteIP !startswith "127." and RemoteIP !startswith "192.168." and RemoteIP !startswith "10."
| summarize Count = count(), DistinctProcesses = dcount(ProcessName) by DeviceName, AccountName, RemoteIP, ProcessCommandLine
| where Count > 5
| order by Count desc

Rapid Response PowerShell Script

This script checks for common signs of INCRANSom pre-encryption staging: modified Shadow Copies and unusual scheduled tasks.

PowerShell
<#
.INCRANSOM_Response_Check
.SYNOPSIS
    Rapid triage script to check for signs of ransomware staging and INCRANSOM TTPs.
.DESCRIPTION
    Checks for Volume Shadow Copy modifications and recently created scheduled tasks.
#>

Write-Host "[+] Checking for Shadow Copy manipulation (Last 24h)..." -ForegroundColor Cyan
$shadowCopies = Get-WmiObject Win32_ShadowCopy | Where-Object { $_.InstallDate -gt (Get-Date).AddHours(-24) }
if ($shadowCopies) {
    Write-Host "[!] WARNING: Recent Shadow Copy activity detected:" -ForegroundColor Red
    $shadowCopies | Select-Object ID, VolumeName, InstallDate | Format-Table
} else {
    Write-Host "[-] No recent Shadow Copy activity found." -ForegroundColor Green
}

Write-Host "\n[+] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Cyan
$tasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($tasks) {
    Write-Host "[!] WARNING: Recently created Scheduled Tasks:" -ForegroundColor Red
    $tasks | Select-Object TaskName, Author, Date | Format-Table
} else {
    Write-Host "[-] No recent Scheduled Task creation found." -ForegroundColor Green
}

Write-Host "\n[+] Checking for exposed RDP (Port 3389)..." -ForegroundColor Cyan
$rdpListeners = Get-NetTCPConnection -LocalPort 3389 -State Listen -ErrorAction SilentlyContinue
if ($rdpListeners) {
    Write-Host "[!] WARNING: RDP is listening on the following interfaces:" -ForegroundColor Red
    $rdpListeners | Select-Object LocalAddress, LocalPort, OwningProcess | Format-Table
} else {
    Write-Host "[-] RDP not exposed." -ForegroundColor Green
}
Write-Host "\n[*] Triage complete. Review warnings immediately."

Incident Response Priorities

T-Minus Detection Checklist (Look BEFORE Encryption):

  1. Perimeter Logs: Review Check Point and Cisco FMC logs for spikes in failed IKEv1 requests or management interface authentication failures (indicators of CVE-2026-50751 and CVE-2026-20131).
  2. Remote Access: Audit ConnectWise ScreenConnect logs for anomalous path traversal requests or unauthorized file uploads (CVE-2024-1708).
  3. Process Anomalies: Hunt for PowerShell processes with encoded command lengths exceeding 1000 characters.

Critical Assets at Risk: INCRANSOM historically prioritizes exfiltration of:

  • Financial Data: Accounting databases, tax records, and banking credentials.
  • Intellectual Property: CAD drawings, manufacturing formulas, and proprietary schematics (critical for the Manufacturing sector).
  • Customer PII: HR records and customer databases for double-extortion leverage.

Containment Actions (Ordered by Urgency):

  1. Isolate: Immediately disconnect internet-facing VPN and Firewall management interfaces from the network if exploitation is suspected.
  2. Disable: Disable local administrative accounts and scheduled tasks created within the last 7 days.
  3. Preserve: Snapshot memory of domain controllers and any suspected jump servers to analyze credentials.

Hardening Recommendations

Immediate (24h):

  • Patch Critical CVEs: Apply patches for CVE-2026-50751 (Check Point), CVE-2026-20131 (Cisco FMC), and CVE-2024-1708 (ScreenConnect) immediately. If patching is not possible, disable VPN services or management interfaces accessible from the internet.
  • MFA Enforcement: Enforce phishing-resistant MFA on all VPN and remote management portals.

Short-term (2 weeks):

  • Network Segmentation: Ensure management interfaces for firewalls and VPNs are on a dedicated OOB (Out-of-Band) management VLAN, not reachable from the general corporate network.
  • EDR Coverage: Verify EDR sensors are deployed and reporting on all perimeter servers and management jump boxes.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangincransomransomwareagriculturemanufacturingcve-2026-50751initial-access

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.