Introduction
INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe. Bleeping Computer INC Ransomware March 2024 Cybereason INC Ransomware November 2023 Secureworks GOLD IONIC April 2024 SentinelOne INC Ransomware
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
- Community-reported ransomware incident: November 2025, TBD, Canada (source: CR-019-INCRANSOM-NOV-2025.md)
- Community-reported ransomware incident: January 2026, Construction, Canada (source: CR-020-INCRANSOM-JAN-2026.md)
Tactics, Techniques, and Procedures (TTPs)
- T1486 Data Encrypted for Impact
- T1021.001 Remote Desktop Protocol
- T1657 Financial Theft
- T1047 Windows Management Instrumentation
- T1566 Phishing
- T1059.003 Windows Command Shell
- T1537 Transfer Data to Cloud Account
- T1087.002 Domain Account
- T1074 Data Staged
- T1071 Application Layer Protocol
- T1046 Network Service Discovery
- T1569.002 Service Execution
- T1219 Remote Access Tools
- T1685 Disable or Modify Tools
- T1588.002 Tool
- T1036.005 Match Legitimate Resource Name or Location
- T1570 Lateral Tool Transfer
- T1069.002 Domain Groups
- T1135 Network Share Discovery
- T1190 Exploit Public-Facing Application
- T1070.004 File Deletion
- T1078 Valid Accounts
- T1105 Ingress Tool Transfer
- T1560.001 Archive via Utility
- T1049 System Network Connections Discovery
Ransomware Vulnerability Matrix observations
| Category | Vendor | Product | CVEs |
|---|---|---|---|
| Virtualization | Citrix | NetScaler ADC & Gateway | CVE-2023-4966 |
ATT&CK technique IDs (denormalized)
- T1021.001
- T1036.005
- T1046
- T1047
- T1049
- T1059.003
- T1069.002
- T1070.004
- T1071
- T1074
- T1078
- T1087.002
- T1105
- T1135
- T1190
- T1219
- T1486
- T1537
- T1560.001
- T1566
- T1569.002
- T1570
- T1588.002
- T1657
- T1685
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- INC Virus:
- IncRansom:
MITRE ATT&CK Software
- Tor (S0183) — tool
- PsExec (S0029) — tool
- Nltest (S0359) — tool
- Rclone (S1040) — tool
- AdFind (S0552) — tool
- Net (S0039) — tool
- esentutl (S0404) — tool
- INC Ransomware (S1139) — malware
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | Mimikatz |
| Discovery | AdFind, Advanced IP Scanner, SoftPerfect Network Scanner |
| Exfiltration | 7-Zip, BackBlaze, MEGA, RClone, Restic, WinRAR, rclone, s5cmd |
| LOLBAS | Finger, PsExec |
| Networking | Bitvise SSH Client |
| RMM Tools | AnyDesk |
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [3] Secureworks GOLD IONIC April 2024 Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024. [4] Cybereason INC Ransomware November 2023 Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. [5] SentinelOne INC Ransomware SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024. [6] Bleeping Computer INC Ransomware March 2024 Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024.