In this analysis I would like to report some IOCs of INCransom, with all the appropriate coincidences already seen in LYNX.
CMS for data leak site: AXIOS (react, javascript framework);
URLs backend: storage1.incrans.com - backend.incrans.com
API endpoints:
/api/v1/blog/get/news
/api/v1/blog/download/
/api/v1/blog/get/announcements
/api/v1/blog/get/disclosures/
/api/v1/blog/download/
/api/v1/blog/get/folder/
/api/v1/blog/get/file/
/api/v1/blog/get/announcement/${e}
/api/v1/blog/get/captcha
/api/v1/blog/create/report
WHOIS details from domains:
Admin Name: Julio Dzheim
Admin Organization: Private Person
Admin Street: 466 E 35th ST
Admin City: Paterson
Admin State/Province: indiana
Admin Postal Code: 07504
Admin Country: US
Admin Phone: +1.9739289242
Admin Phone Ext:
Admin Fax: +1.9739289242
Admin Fax Ext:
Admin Email: gansbronz@gmail.com
Yes, are the same of LYNX backends URL.
I'd done a reverse WHOIS lookup from this email address and I've found severl domains to this person. In several domain name is easy to identify the criminal (phishing?) scope.
A complete list here: https://justpaste.it/7yho1