INC ransomware OPSEC lapse allowed recovery for 12 US orgs
🔍 Cyber Centaurs conducted a forensic investigation after a client reported ransomware activity and found a RainINC variant executed from the PerfLogs directory. Analysts discovered artifacts tied to Restic — renamed binaries, PowerShell scripts (notably new.ps1 with Base64-encoded commands) and hardcoded S3 credentials — indicating long-lived attacker-controlled backup repositories. Using a controlled, non-destructive enumeration they recovered encrypted backups for 12 unrelated U.S. organizations across healthcare, manufacturing, technology, and services, preserved copies, and notified law enforcement. The team published findings, a list of tools observed in INC infrastructure, and YARA/Sigma rules to help defenders detect suspicious Restic usage and renamed binaries.
