The Maine Office of the Attorney General reported that Xerox Corporation experienced a data breach on December 10, 2023, due to an external system breach (hacking), affecting 181 individuals in total, including 1 resident. The breached information included personal details such as Social Security numbers, and the company is providing 24 months of identity and credit monitoring services through Experian.

INC Ransomware Gang’s Security Failure Exposes Stolen Data from 12 U.S. Organizations In a significant operational security lapse, researchers at Cyber Centaurs, a digital forensics and incident response firm, uncovered data exfiltrated by the INC ransomware gang from 12 U.S. organizations across healthcare, manufacturing, technology, and service sectors. The discovery stemmed from an investigation into a ransomware attack on a U.S. client in November 2023, where the RainINC variant was deployed via the PerfLogs directory a Windows-created folder increasingly abused by threat actors for staging. During the forensic analysis, researchers identified remnants of the legitimate backup tool Restic, which the INC gang had used in previous attacks but not in the current incident. This led to a shift in focus toward the gang’s infrastructure, where hardcoded credentials, PowerShell scripts (including a Base64-encoded ‘new.ps1’ file), and backup commands revealed a pattern of long-term data retention. The gang had reused Restic-based storage repositories across multiple campaigns, leaving encrypted victim data accessible even after ransom negotiations concluded. Cyber Centaurs developed a non-destructive enumeration process to validate their hypothesis, confirming the presence of stolen data from unrelated organizations none of which were their clients. After decrypting the backups, the team preserved copies and coordinated with law enforcement to verify ownership and ensure proper handling. The investigation also exposed the gang’s broader toolkit, which included cleanup utilities, remote access software, and network scanners. To aid defenders, Cyber Centaurs released YARA and Sigma rules to detect Restic or its renamed variants in suspicious locations, potentially flagging early-stage ransomware activity. INC ransomware, a ransomware-as-a-service (RaaS) operation active since mid-2023, has targeted high-profile victims, including Yamaha Motor, Xerox Business Solutions, Scotland’s NHS, McLaren Health Care, and the Texas State Bar. This breach highlights the risks of reused attacker infrastructure and the potential for recovering stolen data even after an attack concludes.