Skip to content

Inc Ransomware Encryptor Contains Keys to Victim Data Recovery

August 14, 2024 – Published on Dark Reading

The Inc ransomware collective, which just disrupted a major Michigan healthcare network, is using an encryptor that may hold the key to recovering from its worst attacks.

Where once ransomware groups claimed moral high ground, they are increasingly targeting critical healthcare facilities. The latest salvo: Inc’s attack on McLaren Health Care, a multibillion-dollar network of hospitals, physicians’ practices, insurance plans, and more, in and around Michigan, Indiana, and Ohio. The attack interrupted McLaren’s IT and phone systems, with hospitals and outpatient clinics triggering “downtime procedures.” Among other things, this involved rescheduling some nonemergency appointments, tests, and treatments, and asking patients to bring in physical, printed copies of their test results, imaging, and other information critical to their care.

Interestingly, Inc victims do have a degree of recourse available to them in the hours after an attack. In a newly published report, GuidePoint Security describes how it can interpret data leaked from Inc’s encryptor in order to make clean, successful decryption more likely.

“Anytime you’re obtaining a decryptor, make copies of the impacted files, and before you’re running that decryptor, take a look at some of these footer values, because some of them you may be able to know right off the bat: We’re not going to be able to get this back,” Jason Baker, threat intelligence consultant for GuidePoint Security recommends. “For others, you may be able to know right off the bat: I’m going to have to decrypt this more than once. Or you may find out that the vast majority of the data itself is not actually fully encrypted, which gives you a great opportunity for recovery even without a decryptor.”

Read More HERE.