incransom
Ransomware group profile
472Victims
RussiaSource country
110Impact score
Also Known As
GOLD IONIC
Description
INC Ransom is a sophisticated ransomware group active since July 2023, known for their double extortion tactics that involve not only encrypting data but also threatening to leak sensitive information. They target a variety of high-profile sectors, including healthcare and education, leveraging advanced techniques to infiltrate systems and maximize impact.
Key insights
- •Employs double extortion tactics to maximize leverage on victims.
- •Targets critical infrastructure sectors, including healthcare and public administration.
- •Utilizes advanced techniques like spear-phishing and RDP exploitation for initial access.
- •Custom ransomware employs AES-128 encryption with multi-threading to hinder recovery.
- •Effective in evading detection through legitimate process usage and security feature manipulation.
- •Cryptocurrency is the primary payment method for ransom demands.
Threat Level & Status Breakdown
For incransom · Based on incidents in selected period
4.3threat level
Aggressiveness10/ 10
Lethality0.3/ 10
Criticality2.2/ 10
Status Breakdown
Data Leaked4.4%21
Negotiating0.4%2
Claimed95.1%449
First seenJun 2025
Last seenJun 2026
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 3, 2026
Recent activity
Monthly attack count for incransom in the selected period
472Total attacks
49peak in Jan
36.3avg / month
↓ 38 vs first month
Intelligence
IOCs, YARA/Sigma rules, and related families for incransom
- a53a9ca8a074c7108f8412c3f8c1fc5d
- 77962a384d251f0aa8e3008a88f206d6cb1f7401c759c4614e3bfe865e3e985c
- 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
- 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
- 7007cf53bcd0083baba202d8ac2d9070
- 25b9fdef3061c7dfea744830774ca0e289dba7c14be85f0d4695d382763b409b
- 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd
- fcefe50ed02c8d315272a94f860451bfd3d86fa6ffac215e69dfa26a7a5deced
- a98dcdee82f6066a4cf2f9d7d161a1bacec8f81d
- 9218e2c37c339527736cdc9d9aad88de728931a3
- c41ab33986921c812c51e7a86bd3fd0691f5bba925fae612f1b717afaa2fe0ef
- d1038be644a0da3ba05922fa27db4167a6e17451
- 1e074d9dca6ef0edd24afb2d13ca4429def5fc5486cd4170c989ef60efd0bbb0
- 75612233d32768186d0557dd39abbbd3284a2a29
- 5fda381a9884f7be2d57b8a290f389578a9d2f63e2ecb98bd773248a7eb99fa2
- 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5
- 6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141
- f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
- e502b8d617a2cd9bfa41762282a0ff81
- 3403b92056d7645acfb7236824cc58b15e4d5395
- 2833c82055bf2d29c65cd9cf6684449a
- fd452da0d978514adaeee1dd5227212aad00bf07f2481d335eed77a4ee08a5e8
- 7a96d9f7a25a67ec2873bb814cb0ba104d3b7c1651f65ff09d8e1f76cba6fb79
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for incransom
CVE-2025-5777
CVE-2025-53770
CVE-2025-49706
CVE-2025-49704
CVE-2024-57727
CVE-2023-4966
CVE-2023-3519
CVE-2019-18935
Other
T1486
T1486
T1490
T1490
T1078
T1078
T1021
T1021
T1562
T1562
T1555
T1555
T1059
T1059
T1071
T1071
T1068
T1068
T1210
T1210
T1021.001
T1021.001
Victims(200)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| trrac.net | trrac.net | US United States | Transportation | Claimed | 1 day ago | |
| Champaign-Urbana Public Health District | — | US United States | Government & Defense | Claimed | 2 days ago | |
| Bradley law firm | — | US United States | Professional Services | Claimed | 2 days ago | |
| www.labexpress.com | labexpress.com | US United States | Professional Services | Claimed | 5 days ago | |
| lawants | — | US United States | Professional Services | Claimed | 7 days ago | |
| belimed.com | belimed.com | US United States | Healthcare | Claimed | 6 days ago | |
| Distrigaz Vest S.A. | — | RO Romania | Energy & Utilities | Claimed | 7 days ago | |
| Open Door Health Center | — | US United States | Healthcare | Claimed | 9 days ago | |
| Meirc training and consulting | — | AE United Arab Emirates | Education | Claimed | 10 days ago | |
| PILLER AIMMCO | — | US United States | Manufacturing | Claimed | 9 days ago | |
| Mecanizados y Montajes Aeronáuticos | mymgroup.es | ES Spain | Manufacturing | Claimed | 13 days ago | |
| threadinnovations | — | CA Canada | Technology | Claimed | 12 days ago | |
| Nothing | — | TW Taiwan | Technology | Claimed | 15 days ago | |
| bergen1.net | bergen1.net | US United States | — | Claimed | 17 days ago | |
| metaval.com.au | metaval.com.au | AU Australia | Manufacturing | Claimed | 17 days ago | |
| lafj.org | lafj.org | US United States | Government & Defense | Claimed | 27 days ago | |
| defenseisready.com | defenseisready.com | US United States | Technology | Claimed | 19 days ago | |
| United Quality Cooperative / www.uqcoop.com | — | US United States | Other | Claimed | 20 days ago | |
| Silergy Corp | — | US United States | Technology | Data Leaked | 21 days ago | |
| rbh aerospace inc | — | US United States | Manufacturing | Data Leaked | 23 days ago |
Page 1 of 10
Affected countries(68)
Countries where this group has been reported to target or leak victims.
🇦🇪United Arab Emirates🇦🇷Argentina🇦🇹Austria🇦🇺Australia🇧🇪Belgium🇧🇯Benin🇧🇷Brazil🇨🇦CanadaCongo, the Democratic Republic of the🇨🇭SwitzerlandCôte d'Ivoire🇨🇱Chile🇨🇳China🇨🇴Colombia🇨🇾Cyprus🇨🇿Czech Republic🇩🇪Germany🇩🇿Algeria🇪🇸Spain🇫🇷France🇬🇧United Kingdom🇬🇪Georgia🇬🇷Greece🇭🇰Hong Kong🇭🇹Haiti🇭🇺Hungary🇮🇩Indonesia🇮🇪Ireland🇮🇱Israel🇮🇳India🇮🇹Italy🇯🇲Jamaica🇯🇵Japan🇰🇭CambodiaKorea, Republic of🇲🇹Malta🇲🇽Mexico🇲🇾Malaysia🇳🇦Namibia🇳🇬Nigeria🇳🇱Netherlands🇳🇿New Zealand🇵🇦Panama🇵🇪Peru🇵🇭Philippines🇵🇰Pakistan🇵🇹Portugal🇵🇾Paraguay🇶🇦Qatar🇷🇴RomaniaRussian Federation🇸🇦Saudi Arabia🇸🇨Seychelles🇸🇪Sweden🇸🇬Singapore🇸🇰Slovakia🇸🇱Sierra Leone🇸🇳Senegal🇹🇭Thailand🇹🇳Tunisia🇹🇴Tonga🇹🇷TurkeyTaiwan, Province of China🇺🇸United StatesVenezuela, Bolivarian Republic of🇻🇳Vietnam🇿🇦South Africa🇿🇲Zambia