AN operational security failure by the INC ransomware group allowed researchers to recover data that the INC ransomware gang stole from a dozen U.S. organisations. A deep forensic examination of the artifacts left behind uncovered tooling that had not been used in the investigated attack, but exposed attacker infrastructure that stored exfiltrated data from multiple victims.
The operation was conducted by Cyber Centaurs, a digital forensics and incident response company that disclosed its success last November and now shared the full details with BleepingComputer. The payload, a RainINC ransomware variant, was executed from the PerfLogs directory, which is typically created by Windows, and ransomware actors have begun to use it more frequently for staging.
The Cyber Centaurs investigation began after a client U.S. organisation detected ransomware encryption activity on a production SQL Server. according to BleepingComputer.