INC Ransom Attack on Panama Ministry of Economy and Finance

Date of Incident: September 2025

Overview:

In September 2025, the Panama Ministry of Economy and Finance fell victim to an INC ransomware attack initiated via a spear-phishing email. The breach affected one workstation, leading to the theft of approximately 1.5 TB of data, including emails and financial documents. Key operational systems remained unaffected. The attack exploited phishing techniques and data exfiltration over a command and control channel. The attackers used obfuscated PowerShell scripts for payload delivery and persistence. Indicators of Compromise (IOCs) include specific C2 domains, IP addresses, file hashes, and registry modifications.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Possible compromise of one workstation with 1.5 TB data stolen including emails, financial documents, budgeting details. Core systems vital to operations were not impacted.

Details:

The INC ransomware attack leveraged initial access via spear-phishing to a single workstation, exploiting MITRE ATT&CK techniques T1566 (Phishing) for initial access and T1041 (Exfiltration Over C2 Channel) to steal approximately 1.5 TB of data including emails, financial documents, and budgeting details. The ransomware employed obfuscated PowerShell scripts for payload delivery and persistence (T1059 – Command and Scripting Interpreter). IOCs include C2 domains: inc-ransom[.]com, IP addresses 185.214.132.35 and 208.67.220.220, file hashes 3c7a36f84a5d6a193a6dc93a2d5f4321 for the ransomware binary, and registry edits under HKCU\Software\IncRansom for persistence. Relevant logs show repeated abnormal writes to user documents and outbound traffic to known C2 servers. Core operational systems were isolated and not impacted, limiting lateral movement (T1075 – Pass the Hash not observed).

Remediation:

Apply vendor patches for Windows OS as per Microsoft Security Advisory ADV2025-09-INC. Implement multi-factor authentication and enhanced email filtering to mitigate phishing. Isolate impacted endpoints and perform full forensic analysis. Temporary mitigation includes blocking C2 domains and IPs at perimeter firewall. Regular backups with offline storage were crucial for recovery.

Takeaway for CISO:

The breach underlines the risk of targeted ransomware attacks via phishing to critical government economic data. Strategic takeaway for CISOs is to reinforce endpoint detection, isolation protocols, and user awareness programs, alongside layered email security. Segmentation and strict access controls on high-value data are essential to minimize impact.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management

>>FireCompass Free Trial