Ransomware Attack On The Panamanian Ministry Of Economy
In early September 2025, Panama's Ministry of Economy and Finance (MEF) disclosed that it had suffered a cyberattack. The disclosure came after the INC ransomware group claimed responsibility for breaching the ministry's systems. According to the MEF's official statement, the incident involved only a single workstation that was not critical to the ministry's core functions.
The ministry emphasized that none of its central operational systems had been compromised and continued operating normally. Security teams responded quickly, initiating standard protocols to contain the breach and strengthening protective measures across the organization's digital infrastructure.
Despite these reassurances, the attack raised significant concern. On its leak site, INC ransomware claimed to have exfiltrated more than 1.5 terabytes of sensitive data. The group asserted that the stolen material included financial reports, budgeting details, emails, and other official records. To demonstrate credibility, INC published a set of sample files.
By adding the MEF to its list of victims on September 5, the group underscored its intention to use data leakage as leverage for extortion, regardless of whether encryption successfully disrupted operations, as is typical of ransomware gangs following the double extortion method.
The Panamanian government stressed that personal and institutional data remained protected, but the attackers' claims suggested otherwise. This contradiction illustrated one of the defining features of modern ransomware operations: the use of data theft and public exposure as a second line of coercion. Even if an organization restores its systems from backups and resumes normal functions, the threat of reputational damage and the potential misuse of leaked data linger.
The INC ransomware operation first emerged in mid-2023. From the beginning, it followed a Ransomware-as-a-Service (RaaS) model, where the developers provide the ransomware to affiliates who conduct attacks and share the profits. This approach allowed the group to scale quickly and target victims across multiple industries and regions. Security researchers have tracked the activity of INC and linked it to clusters sometimes referred to as "Water Anito," suggesting an organized structure behind its campaigns.
INC rapidly established a diverse victim profile. Companies in healthcare, manufacturing, public services, education, and professional services have all been targeted. Some of its highest-profile victims include Yamaha Motor, McLaren Health Care, Xerox Business Solutions, Scotland's National Health Service, and the State Bar of Texas. Retail giant Ahold Delhaize was also listed on the group's leak site. In every case, INC applied the same principle: data from organizations that refused to pay the ransom was eventually published.
Over time, the ransomware evolved both in scope and technical complexity. By December 2023, INC had released a Linux variant of its malware, signaling its intent to expand beyond Windows environments. Researchers later observed updated Windows builds that introduced new command-line features and improved defenses against detection.
Reports also suggested that another ransomware outfit, known as Lynx, may have purchased INC's source code through a group identified as Water Lalawag. While not definitively confirmed, this highlighted how ransomware ecosystems recycle and share code, increasing the risk of copycat operations.
The group's activity peaked in December 2023, according to telemetry gathered by Trend Micro, but remained steady throughout 2024. More than 325 attempted attacks were recorded between October 2023 and August 2024. The United States topped the list of targeted countries, but organizations in Malaysia, the Philippines, Switzerland, Australia, and Ireland were prominently featured.
Healthcare was the most frequently attacked sector, though nonprofit organizations, manufacturers, educational institutions, and community service groups were also impacted. This wide net reflected the opportunistic nature of INC's affiliates, who pursued victims with varying levels of resilience.
Technical Analysis of INC Ransomware
INC ransomware distinguishes itself through a sophisticated infection chain and various tools that help it gain access, spread laterally, exfiltrate data, and encrypt files. Initial access is often achieved through spear-phishing emails, which trick users into opening malicious attachments or links. Another frequent entry point is the exploitation of unpatched software vulnerabilities.
In November 2023, researchers observed INC exploiting CVE-2023-3519, a critical flaw in Citrix NetScaler ADC and Gateway devices. The use of such vulnerabilities demonstrates that INC affiliates actively monitor security advisories to weaponize known weaknesses. In other cases, the attackers purchase valid credentials from brokers to establish a foothold in their target networks.
Once inside, INC prioritizes evasion of defensive systems. The attackers employ tools like ProcessHacker and ProcTerminator to disable or kill processes, particularly those linked to antivirus and endpoint protection solutions. They also use special command-line parameters such as "safe-mode" to reboot systems in a reduced environment where security defenses are less effective.
In addition to disabling protections, INC is adept at harvesting credentials. Scripts like HackTool.PS1.VeeamCreds allow them to extract usernames and passwords from backup and replication software, undermining an organization's recovery capability.
Lateral movement is achieved through both legitimate and malicious utilities. Tools such as PsExec, AnyDesk, and TightVNC enable the attackers to spread across the network while blending in with normal administrative activity. Network discovery software maps potential targets within the compromised environment, including NetScan and Advanced IP Scanner. Credential-dumping tools like Mimikatz further expand their control. These activities show how INC blends offensive tools with ordinary administrative utilities to remain less conspicuous.
Data exfiltration is a core part of INC's extortion model. The group frequently compresses stolen files into archives using 7-Zip before transferring them off-site. Cloud storage services like MegaSync have been abused to move data beyond the victim's control. This step ensures that even if encryption fails, the attackers still hold valuable information to pressure victims into payment.
Regarding encryption, INC employs the Advanced Encryption Standard (AES), but with different modes of operation. In "fast" mode, it encrypts files in fixed chunks of one million bytes while skipping over large sections to accelerate the process. "Medium" mode applies the same chunk size but skips smaller sections, balancing speed and thoroughness. "Slow" mode is the most destructive, encrypting files without omission. This flexibility allows affiliates to adjust the impact depending on their objectives and the time available before detection.
The ransomware is careful not to cripple the system completely. Certain file types, such as .exe, .dll, .msi, and .inc, are excluded from encryption, and critical directories like Windows and Program Files are bypassed. By avoiding essential system files, the ransomware ensures that the operating system remains functional enough for victims to read ransom notes and potentially negotiate. To further weaken recovery options, INC deletes shadow copies from infected machines, preventing the use of Windows' built-in restore functions.
Ransom notes titled "INC-README" appear in multiple formats across the network and are sometimes sent to all available printers. This tactic guarantees maximum visibility within the victim organization, creating urgency and internal pressure to respond.
The breach of Panama's Ministry of Economy may not have paralyzed government operations, but it demonstrated the power of ransomware groups to inflict damage without relying solely on encryption.
By exfiltrating and threatening to publish vast amounts of sensitive data, INC ransomware reminded the cybersecurity community that resilience requires more than restoring systems from backup. It requires a comprehensive approach that addresses vulnerabilities, monitors for malicious behavior, and anticipates the human and reputational consequences of a data breach.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion