In a world where technology news are dominated by stories of ransomware attacks and data breaches, Cyber Centaurs is proud to share a rare story of success. While many organizations continue to struggle against a rising tide of cyber extortion, this case demonstrates that determined investigation and skilled response can lead to positive outcomes , even against some of the most sophisticated criminal groups.
In recent months, Cyber Centaurs uncovered a significant breakthrough in the fight against cyber extortion when our team gained access to critical portions of the infrastructure used by the INC Ransomware Group. Known for its data theft and double extortion campaigns, the group has emerged as a powerful threat to organizations across sectors including healthcare, legal services, and manufacturing.
Who Is the INC Ransomware Group
The INC Ransomware Group emerged in mid-2023 and quickly established itself as a major player in the global cyber-extortion landscape. Known for its double-extortion tactics, encrypting systems while stealing sensitive data for leverage. The group has claimed responsibility for more than one hundred attacks listed on its leak site as of mid-2024.
Targeted industries have included healthcare, education, legal services, and manufacturing, with estimated financial damages reaching into the hundreds of millions of dollars. Their approach is systematic and highly organized: compromise, exfiltrate, encrypt, and then threaten public exposure to maximize pressure on victims.
Exploiting Trust in Backup Systems
Every organization relies on backups. They run quietly in the background, ensuring continuity and resilience. Because these processes are routine and often automated, they rarely raise red flags for security teams.
Cyber Centaurs’ investigation revealed that INC Ransomware Group exploited this very trust. Rather than relying solely on malware or command-and-control frameworks, they turned to legitimate IT processes, specifically, backup operations, to disguise data theft.
By mimicking a company’s normal backup schedule and activity, they could quietly extract data without triggering alerts. To defenders monitoring the network, the traffic appeared to be routine system behavior.
The Role of Rustic
At the center of the scheme was an open-source backup utility called Rustic, a legitimate tool widely used for fast, encrypted, and deduplicated backups. Rustic’s strong encryption capabilities made it ideal for protecting data in transit and at rest, but those same features were weaponized by INC Ransomware.
The group configured Rustic to encrypt victim data before transmission, ensuring that exfiltrated files left the environment already protected by strong cryptography. Once uploaded, the data could only be accessed through Rustic’s specific configuration parameters and credentials. Even if law enforcement or defenders discovered the stolen backups, they would remain unreadable without the decryption keys.
Further analysis showed that the Rustic executable had been renamed to winupdate.exe and placed inside the system directory at C:\Windows\System32\winupdate.exe. This subtle disguise helped it blend in with legitimate Windows processes, avoiding suspicion from both users and endpoint detection systems.
The attackers then directed Rustic’s backups to an S3-style cloud storage environment hosted by a commercial provider, giving them affordable, scalable, and globally accessible storage for the stolen information.
Discovery of the Backup Infrastructure
During the course of an active incident response engagement, Cyber Centaurs identified that the INC Ransomware Group’s activity extended far beyond traditional system encryption. Our investigation revealed that the group had adopted a legitimate open source backup software called Rustic to facilitate data exfiltration.
Rustic is designed to provide fast, encrypted, and deduplicated backups, making it a reliable solution for organizations seeking efficient data protection. However, INC Ransomware Group exploited these same qualities for malicious purposes. One of the primary reasons for their adoption of Rustic is its powerful encryption capability. The software automatically encrypts data before transmission, which means that as data leaves a compromised environment, it is already protected by strong encryption. This makes detection and interception by security tools significantly more difficult.
Moreover, the encrypted backups created by Rustic are useless without the corresponding credentials. Even if law enforcement or a security team were to identify and retrieve the stolen backups, the data would remain inaccessible without the unique decryption keys. This feature gave the threat actors an additional layer of operational security, ensuring that only they could access the exfiltrated information.
Cyber Centaurs observed that the Rustic executable had been renamed to “winupdate.exe” and placed within the system directory at C:\Windows\System32\winupdate.exe. This allowed the process to blend seamlessly into legitimate system activity, helping the attackers conceal their presence from both users and endpoint detection systems.
Further analysis determined that the threat actors were transferring the stolen datasets to an S3 style storage bucket hosted by a commercial cloud storage provider. By misusing this legitimate platform, they gained access to secure, affordable, and globally distributed infrastructure to host their exfiltrated data.
Cyber Centaurs’ Infiltration and Recovery Effort
Through detailed analysis of patterns, executable behavior, and associated metadata, Cyber Centaurs was able to obtain the necessary credentials to gain controlled access to the backup infrastructure operated by INC Ransomware Group. Once access was achieved, the team systematically enumerated the backup containers, mapped their structure, and identified where data from multiple victim organizations had been stored.
This effort led to the successful recovery of data belonging to a dozen victim organizations across the healthcare, legal, and manufacturing sectors.
The investigation provided a rare window into the operational methods of a modern ransomware enterprise and demonstrated that even advanced adversaries can be disrupted through persistence, intelligence driven analysis, and coordinated forensic effort.
A Rare Victory Against Organized Cybercrime
The successful infiltration of the INC Ransomware Group’s backup infrastructure marks an uncommon outcome in today’s cyber landscape. Where most ransomware investigations end with containment, Cyber Centaurs achieved something few have, a recovery that turned the adversary’s own tools against them.
Cyber Centaurs coordinated with appropriate law enforcement agencies during the recovery effort, ensuring that the data was handled securely and responsibly before being returned to its rightful owners.
Upcoming Announcement
Cyber Centaurs continues to analyze the full scope of this discovery and its broader implications for the security community. A formal announcement with additional details regarding the recovered data and technical insights into the infrastructure will be released in the near future.
