Inc Ransomware Encryptor Contains Keys to Victim Data Recovery

The threat group is disrupting healthcare organizations. Victims can help themselves, though, even after compromise, by being careful in the decryption process.

The Inc ransomware collective, which just disrupted a major Michigan healthcare network, is using an encryptor that may hold the key to recovering from its worst attacks.
Where once ransomware groups claimed moral high ground, they are increasingly targeting critical healthcare facilities. The latest salvo:
Incs attack on McLaren Health Care
, a multibillion-dollar network of hospitals, physicians practices, insurance plans, and more, in and around Michigan, Indiana, and Ohio. The attack interrupted McLarens IT and phone systems, with hospitals and outpatient clinics triggering downtime procedures. Among other things, this involved rescheduling some nonemergency appointments, tests, and treatments, and asking patients to bring in physical, printed copies of their test results, imaging, and other information critical to their care.
McLaren did not initially say whether any patient or employee information had been compromised, but an employee from one of its hospitals leaked a printed ransom note indicating that the Inc ransomware group was holding its data hostage. Dark Reading has reached out to McLaren for an update.
Interestingly, Inc victims do have a degree of recourse available to them in the hours after an attack. In a newly published report, GuidePoint Security describes how it can
interpret data leaked from Incs encryptor
in order to make clean, successful decryption more likely.
Inc may have locked up McLarens files using its encryptor that masks itself as a system file — named win.exe or windows.exe on Windows systems, or lin for its Linux variant.
Newly Inc-encrypted files earn an 80-byte footer, which actually leaks a great deal of information about the nature of the encryption process, including the degree and pattern of encryption. Victims can use this information to make informed decisions about how to engage with the threat actor.
For example, the footer leaks whether the file was encrypted Fast, Medium, or Slow. If Inc goes in fast, it will only encrypt the first, middle, and last megabyte of a file. A slower encryption, by contrast, will encrypt all the contents of a file. If the last 16 bytes of the footer indicate that a file was encrypted quickly, victims can likely go most of the way to recovering a file even without Incs decryptor, simply by using commercial forensic tools.
On the other hand, if a file has been encrypted and appended with a .inc tag, but lacks that 80-byte footer, it has been corrupted, and will not be recoverable, even using Incs decryptor.
Anytime youre obtaining a decryptor, make copies of the impacted files, and before youre running that decryptor, take a look at some of these footer values, because some of them you may be able to know right off the bat: Were not going to be able to get this back, Jason Baker, threat intelligence consultant for GuidePoint Security recommends. For others, you may be able to know right off the bat: Im going to have to decrypt this more than once. Or you may find out that the vast majority of the data itself is not actually fully encrypted, which gives you a great opportunity for recovery even without a decryptor.
Formerly it was considered taboo for a ransomware organization to attack and encrypt healthcare organizations. What weve seen a lot in the last year is a gradual erosion of those norms, Baker says.
In the past, groups like LockBit and BlackCat/AlphV would claim they banned affiliates from attacking healthcare organizations, and kicked them out if they did. Thats
no longer part of the calculus
, and Inc is the perfect case in point. Its most commonly targeted industries, says Baker, are precisely those which some ransomware groups previously avoided: healthcare, education, nonprofits.
The first reason for that is recent disruptions really ticked off a lot of the big players — whether it be
Operation Cronos with LockBit
, or
AlphV taking the bag and running
with their exit scam. It really shifted how some people looked at victims, he explains.
The second reason that I see frequently cited is the Change Healthcare attack from earlier this year, Baker adds. Theres been a lot of speculation about
[attackers noticing] how profitable that was
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Inc Ransomware Encryptor Contains Keys to Victim Data Recovery