INC Ransomware Tied to McLaren Hospitals Attack

McLaren Health Care's IT and phone systems were disrupted by an attack linked to the INC Ransom ransomware group, Bleeping Computer reports.

‍

McLaren, a non-profit healthcare system operating 13 hospitals across Michigan, serves the region with a network of 640 physicians, 28,000 employees, and over 113,000 network providers in Michigan, Indiana, and Ohio.  

‍

The disruption affected access to patient information databases, leading McLaren to advise patients to bring detailed medication information and recent lab results to their appointments.  

‍

Although McLaren is investigating the incident, they warned that some non-emergency or elective procedures might need to be rescheduled as a precaution.  

‍

The healthcare system apologized for the inconvenience and urged patients to be patient as their teams work to restore services.  

‍

While McLaren has not officially confirmed the nature of the attack, employees at McLaren Bay Region Hospital in Bay City reported receiving a ransom note from the INC Ransom group, threatening to publish stolen data if the ransom is not paid.

‍

The situation remains under investigation as McLaren works to address the disruption and ensure patient care continues.

‍

‍Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, INC Ransom was first observed in the summer of 2023, and it is unclear if they maintain a RaaS affiliate operation or are a closed group.

‍

They claim to be a “moral agent” and suggest that they are helping victims by exposing their weaknesses.

‍

INC uses common TTPs such as leveraging compromised RDP (Remote Desktop Protocol) credentials to gain access and move laterally in a targeted environment. Initial infections have been observed via phishing and exploitation of a vulnerability in Citrix NetScaler (CVE-2023-3519).  

‍

INC has been observed delivering ransomware using legitimate tools like WMIC and PSEXEC and uses other Living-off-the-Land (LOTL) techniques, abusing applications Including MSPaint , WordPad, NotePad, MS Internet Explorer, MS Windows Explorer, and AnyDesk for lateral movement.  

‍

INC has also been observed abusing tools like Esentutl for reconnaissance and MegaSync for data exfiltration. INC is written in C++ and uses AES-128 in CTR mode to encrypt files, and it also has a Linux version.  

‍

It is unclear if INC employs any advanced security tool evasion techniques, and there are indications that they may attempt to delete Volume Shadow Copies (VSS) to hinder encryption rollback attempts.

‍

INC did not emerge until the second half of 2023, but they appear to be ramping up operations as they refine their code and attack sequences. They instruct victims to log into a Tor portal with a unique user ID provided by the attackers. It is unclear what the average ransom demand is at this point.  

‍

INC targets a wide array of industries, including manufacturing, retail, IT, hospitality, pharma, construction and the public sector. INC practices double extortion and maintain a leaks site for double extortion, threatening to expose victim. INC has made good on threats to expose sensitive data if a target does not pay the ransom demand.

‍

Notable victims include the Peruvian Army, NHS Scotland, Xerox, Trylon Corp, Ingo Money, BPG Partners Group, DM Civil, Nicole Miller INC., Pro Metals, Springfield Area Chamber of Commerce, US Federal Labor Relations Authority, Yamaha Philippines.

‍

‍

‍Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.