As an in-house Security Specialist at Cyber Centaurs, Rupert Marais brings a wealth of experience in cybersecurity strategy and network defense to the forefront of the fight against digital extortion. In a recent investigation that began as a routine incident response, his team’s sharp forensic work turned a single ransomware attack into a massive data recovery operation, exposing a critical flaw in the infrastructure of the notorious INC ransomware group. Marais’s work highlights a fascinating shift in cyber investigations, moving beyond the immediate incident to dismantle the very tools attackers rely on. We explore the meticulous process of uncovering this operational security failure, the techniques used to track and recover data from multiple victims, and what this success means for the future of combating ransomware-as-a-service operations.
The initial investigation pivoted after discovering artifacts from the backup tool Restic, which wasn’t even used in the attack being investigated. Could you walk us through the forensic process that led to this shift and the specific clues that pointed toward a larger infrastructure failure?
It was a fascinating turn of events. We were called in to investigate a pretty standard encryption event on a client’s production SQL server. The payload was a RainINC variant, staged in the PerfLogs directory, which is a common but telling TTP. But as we dug into the digital forensics, we found artifacts from the backup tool Restic. The strange part was that the threat actor hadn’t actually used Restic for data exfiltration in this specific attack; that had happened earlier during lateral movement. That discrepancy was the hook. It felt like finding a wrench from a different car model at a crime scene. It immediately made us question if this tool was part of a broader, standardized toolkit, prompting us to shift our entire focus from just this one incident to a deeper analysis of the attacker’s operational infrastructure.
A PowerShell script containing hardcoded access keys and repository paths was a critical breakthrough. How common is it for ransomware groups to reuse exfiltration infrastructure across campaigns, and what steps did your team take to safely enumerate those repositories without alerting the attackers?
Finding that ‘new.ps1’ script was the linchpin. It’s surprisingly common for threat actors, even sophisticated ones, to reuse infrastructure. They value efficiency just like anyone else, and building new exfiltration and storage setups for every single victim is time-consuming and costly. They bank on their victims never discovering these backend systems. Once we found the script with its Base64-encoded commands and hardcoded access keys, passwords, and repository paths, we theorized that these storage repositories were likely long-lived assets. To test this without tipping our hand, we developed a carefully controlled, non-destructive enumeration process. We treated it like a delicate surveillance operation, using the credentials to gently peek into the repositories and list their contents without modifying or downloading anything that would trigger an alert. It confirmed our hunch: the repositories were still active and held encrypted data from many other victims.
Attackers staged malware in the PerfLogs directory and used renamed binaries to disguise their tools. What does this “living-off-the-land” approach reveal about their methods, and how can defenders create effective detection rules to spot these types of camouflaged activities before encryption begins?
This approach tells us that these operators are focused on stealth and evasion. By placing their payloads in a legitimate-looking Windows directory like PerfLogs and renaming their tools to something innocuous like ‘winupdate.exe’, they are trying to blend in with the normal noise of an IT environment. It’s a classic “living-off-the-land” tactic designed to bypass simple antivirus signatures that are looking for known malicious file names or hashes. To counter this, defenders must move beyond just looking for “bad files.” We need behavioral detection. We created specific YARA and Sigma rules that don’t just flag Restic, but flag it when it’s renamed or executed from a suspicious location like PerfLogs. It’s about context—a backup tool running at 3 a.m. from a temp folder, initiated by a script, is a massive red flag that you can build a rule to catch.
After confirming the presence of data from a dozen unrelated organizations, you began the recovery process. Can you elaborate on the technical challenges of decrypting the backups and the logistical complexities of coordinating with law enforcement to return data to so many different victims?
Confirming the data was just the first step; recovery was a whole different challenge. On the technical side, we had the S3 passwords from the script, which allowed us to decrypt the Restic backups. We had to carefully process and preserve pristine copies of everything to maintain a clear chain of custody. The logistical side was even more complex. We had data belonging to 12 organizations across healthcare, manufacturing, and other sectors, none of whom were our clients. We couldn’t just call them up. We immediately contacted law enforcement to act as a trusted intermediary. They helped us validate ownership and guided the notification process, ensuring everything was handled properly and legally. It became a coordinated effort involving multiple parties to untangle this mess and get the stolen data back to its rightful owners.
What is your forecast for ransomware-as-a-service (RaaS) operations?
I believe the RaaS model will continue to splinter and specialize. We’re seeing a shift away from monolithic groups to a more gig-economy style of cybercrime, where different affiliates specialize in initial access, lateral movement, or negotiation. However, as this case with INC ransomware shows, this model can also create vulnerabilities. When affiliates reuse tools and infrastructure provided by the RaaS operator, a single operational security mistake—like leaving a script with hardcoded keys—can unravel operations tied to multiple, otherwise unrelated attacks. As defenders, our opportunity lies in exploiting these systemic weaknesses. A win against one affiliate’s tools can become a win against the entire platform, making infrastructure analysis more critical than ever.
