Analysis of the Ransomware Attack on Waupaca County by Incransom

Victim Profile: Waupaca County, Wisconsin

Waupaca County, located in the east-central part of Wisconsin, USA, operates primarily through its official website, waupacacounty-wi.gov. This digital platform is essential for the county's administration, providing residents with access to governmental resources, community updates, and administrative services. The county's infrastructure supports various departments including the Sheriff's Office, Health and Human Services, and the Highway Department. Notably, the Register of Deeds office transitioned to a new web-based land records management system called RecordEASE in March 2022, which underscores the county's increasing reliance on digital solutions. The integration of such technology, while beneficial, also potentially increases vulnerability to cyber-attacks due to the critical nature of the services and the data involved.

Attack Overview

On June 18, 2024, Waupaca County experienced a significant disruption in its computer systems due to a ransomware attack. The cybercriminal group Incransom publicly claimed responsibility for this incident. While some critical systems were swiftly restored and emergency response systems remained unaffected, the attack highlights ongoing security challenges. The specifics of the ransom demanded, the exact nature of the data breach, and the method of network penetration have not been disclosed. However, the incident has prompted an investigation and recovery process involving third-party cybersecurity specialists.

Ransomware Group: Incransom

Incransom, a notorious ransomware group known for its sophisticated cyber-attacks, has targeted various sectors including government entities. The group employs advanced tactics such as spear-phishing, exploitation of vulnerabilities like CVE-2023-3519 in Citrix NetScaler, and the use of legitimate system tools for reconnaissance. Incransom's modus operandi includes not only encrypting data but also exfiltrating it, followed by threats of public disclosure if their ransom demands are not met. This double extortion technique significantly pressures victims to comply with their demands.

Potential Entry Points and Security Implications

While the specific entry point used by Incransom in the Waupaca County attack remains unclear, typical vectors include phishing attacks, exploitation of software vulnerabilities, or inadequate security protocols on critical infrastructure. The county's recent adoption of new digital systems such as RecordEASE might have opened new vulnerabilities, particularly if these systems were not fully secured or if staff were not adequately trained on new security requirements. The incident underscores the need for continuous security assessments and updates, especially when implementing new technology solutions.

Sources

• Waupaca County Official Website
• SOCRadar: Dark Web Profile - INC Ransom
• SentinelOne: INC Ransom Analysis
• Security Affairs: INC Ransom Ransomware Attack on Xerox Corp
• Cyber Daily: INC Ransom Claims Ransomware Attack on NHS Scotland