{"description": "Enterprise techniques used by INC Ransomware, ATT&CK software S1139 (v1.0)", "name": "INC Ransomware (S1139)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1486", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) can encrypt data on victim systems, including through the use of partial encryption and multi-threading to speed encryption.(Citation: SentinelOne INC Ransomware)(Citation: Huntress INC Ransom Group August 2023)(Citation: Cybereason INC Ransomware November 2023)(Citation: SOCRadar INC Ransom January 2024)(Citation: SentinelOne INC Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) has the ability to change the background wallpaper image to display the ransom note.(Citation: Cybereason INC Ransomware November 2023)(Citation: Secureworks GOLD IONIC April 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) can run `CryptStringToBinaryA` to decrypt base64 content containing its ransom note.(Citation: Cybereason INC Ransomware November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1652", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) can verify the presence of specific drivers on compromised hosts including Microsoft Print to PDF and Microsoft XPS Document Writer.(Citation: Cybereason INC Ransomware November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) can receive command line arguments to encrypt specific files and directories.(Citation: Cybereason INC Ransomware November 2023)(Citation: SentinelOne INC Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) can delete volume shadow copy backups from victim machines.(Citation: Cybereason INC Ransomware November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "\n[INC Ransomware](https://attack.mitre.org/software/S1139) can push its encryption executable to multiple endpoints within compromised infrastructure.(Citation: Huntress INC Ransom Group August 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) can use the API `DeviceIoControl` to resize the allocated space for and cause the deletion of volume shadow copy snapshots.(Citation: Cybereason INC Ransomware November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) has the ability to check for shared network drives to encrypt.(Citation: Cybereason INC Ransomware November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) can identify external USB and hard drives for encryption and printers to print ransom notes.(Citation: Cybereason INC Ransomware November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) campaigns have used spearphishing emails for initial access.(Citation: SentinelOne INC Ransomware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) can use the Microsoft Win32 Restart Manager to kill processes with a specific handle or that are accessing resources it wants to encrypt.(Citation: Cybereason INC Ransomware November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1489", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) can issue a command to kill a process on compromised hosts.(Citation: Cybereason INC Ransomware November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) can discover and mount hidden drives to encrypt them.(Citation: Cybereason INC Ransomware November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[INC Ransomware](https://attack.mitre.org/software/S1139) has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment.(Citation: Huntress INC Ransom Group August 2023)(Citation: Secureworks GOLD IONIC April 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by INC Ransomware", "color": "#66b1ff"}]}