Ransomware Intelligence

incransom Ransomware Group

Ransomware group profile

452Victims
RussiaSource country
121Impact score
Also Known As
GOLD IONIC

Description

INC Ransom is a sophisticated ransomware group active since July 2023, known for their double extortion tactics that involve not only encrypting data but also threatening to leak sensitive information. They target a variety of high-profile sectors, including healthcare and education, leveraging advanced techniques to infiltrate systems and maximize impact.

Key insights

  • Employs double extortion tactics to maximize leverage on victims.
  • Targets critical infrastructure sectors, including healthcare and public administration.
  • Utilizes advanced techniques like spear-phishing and RDP exploitation for initial access.
  • Custom ransomware employs AES-128 encryption with multi-threading to hinder recovery.
  • Effective in evading detection through legitimate process usage and security feature manipulation.
  • Cryptocurrency is the primary payment method for ransom demands.

Threat Level & Status Breakdown

For incransom · Based on incidents in selected period

3.3threat level
Aggressiveness7/ 10
Lethality0.2/ 10
Criticality2.5/ 10

Status Breakdown

Data Leaked4.9%22
Negotiating0.4%2
Claimed94.7%428
First seenJul 2025
Last seenJul 2026
Avg ransom
Payment rate
Statusactive
Sophistication0
Last updatedJul 15, 2026

Recent activity

Monthly attack count for incransom in the selected period

452Total attacks
49peak in Jan
34.8avg / month
↓ 8 vs first month
JulAugSepOctNovDecJanFebMarAprMayJunJul015304560

Intelligence

IOCs, YARA/Sigma rules, and related families for incransom

  1. a53a9ca8a074c7108f8412c3f8c1fc5d
  2. 77962a384d251f0aa8e3008a88f206d6cb1f7401c759c4614e3bfe865e3e985c
  3. 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
  4. 7f37351979c249417cb180b4ede0ed17e5fe2a1f08add4d72606b589f8fdb245
  5. 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
  6. 7007cf53bcd0083baba202d8ac2d9070
  7. 25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b
  8. 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd
  9. fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced
  10. a98dcdee82f6066a4cf2f9d7d161a1bacec8f81d
  11. 9218e2c37c339527736cdc9d9aad88de728931a3
  12. d1038be644a0da3ba05922fa27db4167a6e17451
  13. f6f11ad2cd2b0cf95ed42324876bee1d83e01775
  14. 1e074d9dca6ef0edd24afb2d13ca4429def5fc5486cd4170c989ef60efd0bbb0
  15. 60aeb9f7bccf377ff02ed64783e66a62c0f976878d9729b067bc7e5b0b9da9d6
  16. 5cc212f84d2bf3fbab165aaf09b16e00fcf2f1ccd880d24b14404c53dcdbf241
  17. 21e13f2cb269defeae5e1d09887d47bb
  18. a2b1c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2
  19. 75612233d32768186d0557dd39abbbd3284a2a29
  20. 2d8e4f38b36c334d0a32a7324832501d
  21. 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5
  22. 6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141
  23. f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
  24. e502b8d617a2cd9bfa41762282a0ff81
  25. 3403b92056d7645acfb7236824cc58b15e4d5395
  26. 2833c82055bf2d29c65cd9cf6684449a
  27. 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91
  28. fd452da0d978514adaeee1dd5227212aad00bf07f2481d335eed77a4ee08a5e8
  29. 7a96d9f7a25a67ec2873bb814cb0ba104d3b7c1651f65ff09d8e1f76cba6fb79
View full IOC feed54 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for incransom

CVE-2025-5777
CVE-2025-53770
CVE-2025-49706
CVE-2025-49704
CVE-2024-57727
CVE-2024-23109
CVE-2024-23108
CVE-2024-21762
CVE-2023-50358
CVE-2023-4966
CVE-2023-48788
CVE-2023-3519
CVE-2023-33308
CVE-2023-27997
CVE-2022-42475
CVE-2022-40684
CVE-2022-31699
CVE-2022-27596
CVE-2022-27593
CVE-2022-26923
CVE-2021-42287
CVE-2021-42278
CVE-2021-39238
CVE-2021-36942
CVE-2021-34527
CVE-2021-28799
CVE-2021-22005
CVE-2021-21985
CVE-2021-21974
CVE-2021-1675
CVE-2020-1472
CVE-2019-7195
CVE-2019-7194
CVE-2019-7193
CVE-2019-7192
CVE-2019-5591
CVE-2019-18935
CVE-2018-13379
CVE-2017-0143
CVE-2014-9222
CVE-2013-4784
Other

T1486

T1486

T1490

T1490

T1078

T1078

T1021

T1021

T1562

T1562

T1555

T1555

T1059

T1059

T1071

T1071

T1068

T1068

T1210

T1210

T1021.001

T1021.001

Victims(200)

CompanyDomainCountryIndustryStatusDiscovered
Golden Glasko & Associatesmiamiprobate-gg.comUS United StatesProfessional Services
Claimed
about 17 hours ago
VantagePoint Management & Autoclearvpcp.comUS United StatesFinancial Services
Claimed
about 18 hours ago
samberger24.desamberger24.deDE GermanyProfessional Services
Claimed
8 days ago
tecnocurva.com.brtecnocurva.com.brBR BrazilTechnology
Claimed
8 days ago
Aesthetic Surgical Imagessurgicalimages.comUS United StatesHealthcare
Claimed
8 days ago
oakparkmi.govoakparkmi.govUS United StatesGovernment & Defense
Claimed
12 days ago
Colorado Rehabilitation and Occupational Medicinecoloradorehabilitation.comUS United StatesHealthcare
Claimed
13 days ago
tambasa.comtambasa.comBR BrazilRetail & E-Commerce
Claimed
13 days ago
acworth-ga.govacworth-ga.govUS United StatesGovernment & Defense
Claimed
13 days ago
carvalima.com.brcarvalima.com.brBR BrazilProfessional Services
Claimed
13 days ago
ezortea.com.brezortea.com.brBR BrazilRetail & E-Commerce
Claimed
13 days ago
tricountyhs.orgtricountyhs.orgUS United StatesEducation
Claimed
13 days ago
hamilton-eye.comhamilton-eye.comUS United StatesHealthcare
Claimed
13 days ago
https://www.roundshield.com/roundshield.comGB United KingdomProfessional Services
Claimed
14 days ago
https://sza.it/sza.itIT ItalyOther
Claimed
15 days ago
GDN AR(Dorinka)gdnargentina.comAR Argentina
Claimed
16 days ago
johndufourlaw.comjohndufourlaw.comUS United StatesProfessional Services
Claimed
19 days ago
callhorton.comcallhorton.comUS United StatesProfessional Services
Claimed
19 days ago
theswansonlawgroup.comtheswansonlawgroup.comUS United StatesProfessional Services
Claimed
19 days ago
Life Bridgeslifebridgesonline.comUS United StatesHealthcare
Claimed
20 days ago

Page 1 of 10