No Slack account needed.
Introduction: The Synergy of Human Intelligence and Machine Scale
One of the core philosophies we implement at Guardz is the deep integration of security and intelligence teams with our proprietary AI capabilities. This synergy enables us to parse massive amounts of data and extract high-fidelity insights at a speed that neither humans nor standalone bots can match.
In the MSP world, “AI” is often dismissed as a buzzword for a noisy alert engine. We are doing it differently.
The Logic: Human Intuition at Machine Scale
We treat AI as a force multiplier rather than a black box. While the machine handles the heavy lifting, such as data crunching, high-frequency pattern recognition, and initial mitigation, the human factor is what steers the ship. Our security researchers provide the battle scars, context, and intuition necessary for success. They define the hunt by instructing the AI exactly where to dig and what constitutes a genuine threat versus background noise.
Why This Matters for Your Customers
When defending a client’s critical assets, the goal is not to gather more data but to provide better answers. By merging human expertise with machine speed, we deliver:
- Filtered Intelligence: We cut through the noise so that you only see what is critical.
- Faster Response: We bridge the tactical gap between realizing something is happening and knowing exactly how to fix it.
- Contextual Defense: We do not just find anomalies; we understand the intent behind them.
This approach was put to the ultimate test during a recent security incident when SentinelOne blocked a new and aggressive variant of INC Ransomware. This incident serves as a reminder that cybersecurity is a team sport where response time, communication, and coordination between MDR, Security Research, and Account Management make the difference between a minor alert and a catastrophic outage.
Note: Some telemetry data and screenshots in this report were captured from different consoles at varying times in both UTC and IST. They have been synchronized for this timeline.
The Breakdown
On the morning of February 19, 2026, a threat actor detonated INC Ransomware across a customer’s entire network. Within mere minutes, nearly every Windows endpoint in the organization was subjected to active encryption.
Under normal circumstances, an attack of this speed and scale would be a catastrophic, business-ending event. However, the crisis was averted not because a human operator intervened in time, but because the security infrastructure was designed to outpace the adversary.
SentinelOne’s endpoint agent, operating autonomously and without any human direction, detected, terminated, quarantined, remediated, and rolled back every single threat across the environment. The final statistics of the encounter illustrate the magnitude of the attempted breach:
- 1,161 individual threat detections, including 1,157 ransomware instances and 4 reconnaissance tool detections.
- Every encrypted file was restored to its original state.
- Every malicious process was terminated before it could complete its objective.
- Every malicious binary was quarantined, preventing further execution.
- The attack confirmed that a local active account was compromised, which the actor used as their primary vehicle for the assault.
Threat Actor Profile: INC Ransom
INC Ransom is a sophisticated ransomware operation that first emerged in July 2023. The group employs a double-extortion model, which involves encrypting an organization’s mission-critical data while simultaneously exfiltrating sensitive information. This data is then used as leverage on their dedicated leak site, where they publish the files of victims who refuse to meet their financial demands.
The group has historically targeted a diverse range of sectors, with a particular focus on healthcare, education, government, and Managed Service Providers (MSPs). Their technical approach is characterized by high-level precision, favoring hands-on keyboard tactics over automated scripts.
They are known for utilizing legitimate IT administration tools for reconnaissance and deploying their payloads from staged internal infrastructure to bypass perimeter defenses.
Behavioral Signatures Observed
The following signatures were identified during the forensic analysis of the intrusion, providing a blueprint of the group’s operational methodology.
| Feature | Detail |
| Ransom Note | INC-README.txt and INC-README.html |
| Encrypted Extension | .INC |
| Encryption Pattern | Content modification $\rightarrow$ temporary rename $\rightarrow$ .INC final rename |
| Note Placement | Root drive, Public Desktop, user Desktops, and every traversed directory |
| Operational Style | Hands-on keyboard, interactive sessions, and legitimate reconnaissance tooling |
| Staging Approach | Utilization of dual internal staging servers and two distinct ransomware binaries |
| Reconnaissance | Advanced Port Scanner (T1046) |
| Lateral Movement | Interactive NTLM sessions originating from internal staging IPs |
The Attack Timeline: Detection at Every Stage
What makes this incident remarkable is the absolute visibility maintained throughout the intrusion. The defense detected and responded to every phase of the kill chain; the threat actor was never truly invisible. From the initial port scan to the final ransomware execution, every action was identified, flagged, and neutralized in real time.
The threat actor operated from unmanaged internal infrastructure, specifically two staging clients that lacked the SentinelOne agent. However, their period of invisibility ended the moment they reached out to a managed endpoint.
When the actor attempted to use a workstation’s Chrome browser to download a port-scanning tool for network mapping, the system intervened immediately. The reconnaissance tool terminated in just 59 milliseconds, denying the attacker the scan results needed to proceed. When they attempted to push the ransomware payload from those same unmanaged servers 68 minutes later, every managed endpoint acted autonomously to block and roll back the assault.
Detection: Reconnaissance Attempt Blocked (Feb 19, Morning)
The initial phase of the attack involved a reconnaissance attempt performed under a specific hijacked account. The actor navigated to a browser, downloaded a fresh copy of Advanced Port Scanner, and attempted to execute the binary to map the environment’s topology.
The security platform captured the entire sequence, identifying the following artifacts:
| Artifact | Details |
| Primary File | Advanced_Port_Scanner_2.5.3869.exe |
| Source Origin | AppData\Local\Google\Chrome\User (Chrome Cache) |
| SHA256 Hash | d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb |
Rapid Response Analytics
| Time | Artifact | Action |
| 05:34:48.049 | Port scanner download | Detected → Killed (59ms) → Quarantined |
| 05:35:38.755 | Chrome cache copy (f_000021) | Detected → Killed → Quarantined |
| 05:35:40.552 | Second execution instance | Detected → Killed → Quarantined |
Within 20 seconds of these events, the SentinelOne Cloud synchronized the telemetry across the environment and upgraded the confidence level from “Suspicious” to “Malicious.” An MDR Analyst immediately reviewed the alerts and classified all three detections as True Positive. By processing the download, the Chrome cache artifact, and the subsequent execution attempts, the analyst confirmed the activity was a legitimate threat.
The Key Takeaway: The actor attempted reconnaissance twice using two different accounts and was blocked on both occasions. The agent prevented any scanning data from being collected, forcing the threat actor to operate in the dark.
Note: The threat actor had interactive access to a managed endpoint and attempted to download a reconnaissance tool via Chrome. SentinelOne killed it in 59ms. When the threat actor later pivoted to an unmanaged staging client to push ransomware across 36 endpoints, every agent autonomously blocked and rolled back the attack.
Wave 2: The Mass-Deployment Assault
After the failed test run in Wave 1, the threat actor escalated to a high-velocity, mass-deployment variant of the ransomware. Using a secondary staging server (172.x.x.x), the actor attempted to compromise 36 endpoints simultaneously over just 12.1 seconds.
Wave 2 Binary Profile
| Attribute | Value |
| SHA256 | 97f473737b2b625c0f68987ab867e40d7e47cf829e25ddc9d6ddd451d01e538c |
| SHA1 | da16d191d881558119fca0041bccdf7e817ff733 |
| MD5 | 13329ce84aafe761ff1d9dcd0c373c18 |
| Source IP | 172.x.x.x (Secondary Staging client) |
Inside the Alert: The Sub-Second Neutralization
The moment the Wave 2 binary reached its target endpoints, the clock started ticking, but not in the attacker’s favor. On a typical workstation, the ransomware appeared as an unsigned binary delivered through an interactive session under a compromised support account.
SentinelOne’s behavioral engine fired six separate detection rules against the process in less than half a second:
- Rule 1: Identified ransomware artifacts being created by an unsigned process.
- Rules 2 & 3: Flagged rapid file rename-and-encrypt operations.
- Rules 4 & 5: Corroborated this behavior through secondary analytical lenses.
- Rule 6: Identified the delivery mechanism itself as a Pass the Hash attempt (MITRE T1550.002).
The autonomous response sequence, Kill, Quarantine, Remediate, and Rollback, fired identically across all 36 targeted workstations. By the time a SOC analyst opened the console 56 minutes later, the threat had been fully neutralized, with no data loss.
Deep Dive: The Encryption Engine Defeated
We analyzed 1,538 file events on the patient-zero endpoint to fully characterize INC Ransomware’s encryption behavior.
Aggregate Statistics
| Metric | Value |
| Total unique file hashes (SHA1) | 451 |
| Fully encrypted files (.INC) | 416 |
| Files caught mid-encryption | 33 |
| Files successfully rolled back | All 416 (100%) |
How SentinelOne Stopped It
The agent’s sub-100ms kill time meant ransomware processes were terminated between individual file operations. This resulted in 33 files being caught in a “partially modified” state where the encryption had begun, but the final rename to.INC was blocked by the process termination.
Behavioral Differences Between Waves
| Characteristic | Wave 1 | Wave 2 |
| Encryption Speed | 45–89 files/sec | 15–29 files/sec |
| Ransom Note Timing | Encrypts first, drops notes after | Drops notes BEFORE encryption |
| Unique Files Targeted | 270 | 179 |
| File Overlap | Zero | Zero |
The zero file overlap and different note-dropping strategies suggest that Wave 1 served as a proof-of-concept, while Wave 2 was the refined, mass-deployment variant. Both failed to bypass the autonomous defense.
Wave 1 Binary Profile
| Attribute | Value |
| SHA256 | 97f473737b2b625c0f68987ab867e40d7e47cf829e25ddc9d6ddd451d01e538c |
| SHA1 | da16d191d881558119fca0041bccdf7e817ff733 |
| MD5 | 13329ce84aafe761ff1d9dcd0c373c18 |
| Classification | Ransomware (Static) |
| Source IP | Internal Staging client |
| Target | Patient Zero Endpoint |
This first wave targeted only the patient zero endpoint. This was a test run. The threat actor wanted to validate that the binary would execute, observe the EDR response, and gauge the environment’s defenses before going wide.
SentinelOne Autonomous Response: The 40ms Kill Time
The moment the encryption engine attempted to execute, the SentinelOne AI engine intervened. The response was so rapid that it neutralized the attack before it could gain a significant foothold in the system. By the time the ransomware attempted its first major batch of file operations, the process was already being terminated.
| Time | Event |
| 06:43:27.317 | Ransomware binary arrives on the endpoint |
| 06:43:27.333 | Threat detected by Behavioral AI (16ms) |
| 06:43:27.373 | Process killed and neutralized (40ms) |
| 06:43:27.416 | Malicious file moved to quarantine |
| 06:43:27.449 | Threat remediation sequence initiated |
| 06:43:31.427 | Automatic rollback completed (4 seconds total) |
Encryption Analysis and Automated Recovery
Despite the sub-second termination, the ransomware used a high-speed encryption engine that modified files in parallel. The attacker’s strategy was to maximize damage in the shortest possible window. However, SentinelOne’s behavioral monitoring meticulously logged every single attempt, providing a clear map for the recovery process.
Activity Breakdown by Process:
| Process | File Events | Duration | Breakdown |
| PID 53 | 325 | ~1 second | 178 renames + 147 modifications |
| PID 57 | 643 | ~4 seconds | 360 renames + 283 modifications |
| Total | 968 | ~5 seconds | 538 renames + 430 modifications |
The Rollback Advantage
Because the AI intercepted the ransomware while it was still active, it prevented the ransomware from encrypting the entire drive. For the 430 modifications that occurred, the system used SentinelOne Rollback.
This feature uses protected Volume Shadow Copies to restore files to their original, healthy state. Instead of relying on slow backups or paying a ransom, the system automatically reverted every impacted file within seconds. The result was a complete return to the pre-attack state with zero data loss and no manual intervention required from the IT staff.
Wave 2 Mass Deployment: 36 Endpoints Protected (Feb 19, Morning)
Twenty-nine minutes after the initial failure of the “test run,” the threat actor significantly escalated the assault. Shifting tactics, they deployed a different INC Ransomware binary from a secondary internal staging server. This time, the objective was not a single machine, but a coordinated, “scorched earth” strike targeting every endpoint in the environment simultaneously.
The threat actor initiated a pre-staged, automated mass deployment, pushing the malicious binary to 36 endpoints in just 12.1 seconds via lateral movement. This high-velocity execution was designed to overwhelm standard security responses and encrypt the entire network before any manual intervention could occur.
Wave 2 Binary Profile
The binary used in this mass-deployment wave differed from that in the first wave, suggesting a refined strategy aimed at broader impact.
| Attribute | Value |
| SHA256 | 97f473737b2b625c0f68987ab867e40d7e47cf829e25ddc9d6ddd451d01e538c |
| SHA1 | da16d191d881558119fca0041bccdf7e817ff733 |
| MD5 | 13329ce84aafe761ff1d9dcd0c373c18 |
| Classification | Ransomware (Static) |
| Source IP | 172.x.x.x (Secondary Staging Client) |
| Primary Target | All Network Endpoints (36 total) |
Full Containment: MDR Response and Isolation (Feb 19, Morning)
Once SentinelOne’s autonomous engine had neutralized the immediate threat across the network, the MDR team moved into the next critical phase: active containment and forensic investigation. While the AI successfully stopped the encryption, the human analysts stepped in to ensure the threat actor was completely evicted and that no persistence mechanisms remained.
At 07:39 UTC, the lead MDR analyst initiated formal incident response protocols to secure the environment.
MDR Action Log
| Time (UTC) | Action | Actor | Strategic Purpose |
| 07:39:19 | Rollback Command | MDR Analyst | Verified and reinforced the auto-rollback on patient zero to ensure data integrity. |
| 07:39:53 | Rollback Verification | MDR Analyst | Performed a manual audit to ensure 100% of encrypted files were restored. |
| 07:47:37 | Network Isolation | MDR Team | Severed the patient-zero workstation from the network to block any further lateral movement. |
| 07:47:50 | Isolation Confirmed | SentinelOne Agent | Confirmed the endpoint was fully isolated from all local and external traffic. |
| 08:04:31 | Containment Audit | MDR Analyst | Conducted a secondary audit to confirm isolation status remained active and untampered. |
| 08:04:50 | Isolation Re-verify | SentinelOne Agent | Validated network disconnection via the console’s persistent management link. |
Strategic MDR Objectives
The MDR team’s intervention focused on three critical pillars of defense to move from “threat blocked” to “threat eliminated”:
- Rollback Validation: While the agent is highly reliable, human analysts performed a granular check to confirm that SentinelOne’s automated recovery had successfully restored every single encrypted file to its original state.
- Network Isolation: This is a critical tactical maneuver. By severing the patient-zero endpoint’s connectivity, the team blocked the attacker’s “hands-on-keyboard” access and prevented any Command & Control (C2) communication. Crucially, SentinelOne’s isolation maintains a secure bridge to the management console, allowing analysts to investigate the machine without allowing it to communicate with the rest of the network.
- Containment Redundancy: To eliminate the possibility of human error or automated bypass, multiple analysts performed staggered verifications. This ensured the isolation remained firm as the team transitioned to deep-dive forensic analysis.
Appendix: Indicators of Compromise (IOCs)
To ensure your environment is protected against this specific threat actor and the INC Ransomware variant, we recommend adding the following indicators to your organization’s blocklist and monitoring systems.
Malicious Hashes (SHA256)
| Type | Hash |
| Ransomware (Wave 1) | 2cc40ba8aebc0e41becff1b953f27fc5e27ff24b0d0e2204a141f3367fa4c6bd |
| Ransomware (Wave 2) | 97f473737b2b625c0f68987ab867e40d7e47cf829e25ddc9d6ddd451d01e538c |
| Recon Tool (Scanner) | d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb |
| Ransom Note (SHA1) | 2dab203963f4c37f1e9bcd5b75dd69de998be4f3 |
Files and Paths
- Encrypted Extension: .INC
- Ransom Notes: INC-README.txt, INC-README.html
- Common Locations: * C:\INC-README.txt
- C:\Users\Public\Desktop\INC-README.txt
- C:\Users\[Username]\Desktop\INC-README.html
MITRE ATT&CK Techniques Observed
- T1550.002: Use Alternate Authentication Material: Pass the Hash
- T1046: Network Service Scanning
- T1486: Data Encrypted for Impact
- T1485: Data Destruction
T1491.001: Defacement: Internal Defacement
