{
	"id": "f16b2aa4-1ef4-462a-8ea1-753928e5accc",
	"created_at": "2026-04-06T00:19:58.459403Z",
	"updated_at": "2026-04-10T13:11:34.410016Z",
	"deleted_at": null,
	"sha1_hash": "207400d0525b05ed39205afd3473b26ef6176248",
	"title": "Investigating New INC Ransom Group Activity | Huntress",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1101013,
	"plain_text": "Investigating New INC Ransom Group Activity | Huntress\r\nArchived: 2026-04-05 19:23:05 UTC\r\nThe Huntress team is always keeping our eye on the evolving threat landscape. Now, it seems that a new\r\ncontender, referred to as “INC” has entered the ransomware fight. 🥊\r\nThis new ransomware group began gaining notoriety very recently, with several impacted organizations publicly\r\nidentified through their leak site, as illustrated in the tweets below.\r\nThe Huntress team recently investigated a ransomware attack indicative of the ‘INC’ threat actor. While the file\r\nencryption process brought the attack to the attention of the impacted organization immediately, an investigation\r\ninto what led to the attack indicated that the initial phases of the attack began a week prior to the file encryption\r\nevent, if not sooner. \r\nThree server systems were the primary focus of the Huntress investigation. Huntress did not have complete\r\nvisibility across the entire impacted infrastructure, and a number of systems were taken offline before log data\r\ncould be collected from the endpoint. However, the Huntress team was able to assemble a day-by-day accounting\r\nof the threat actor’s observable activity across the systems to which we had access.\r\nRansomware Attack Breakdown\r\nDay 1 - Initially Observed Access, Enumeration\r\nBased on the investigation, the first indication of activity likely associated with the ransomware threat actor began\r\nwith very short (2-3 seconds) connections to Server 1, in quick succession, albeit with three different source\r\nsystem names (ylqlCXO9VdRiZ5JK, aJLXC9TzxgInkqf4, and UxUZNZXxMeBN2jox). All three connections\r\noriginated from the same IP address and accessed the target system using the same account name.\r\nApproximately four and a half hours later, valid account (compromised) credentials were used to access the same\r\nsystem via Remote Desktop Protocol (RDP). During this brief (~30 min) connection, there was some light\r\nenumeration activity (net group domain admins /domain, nltest.exe).\r\nDay 2\r\nOn the next day, the Huntress team observed a brief RDP login to Server 2, via previously observed credentials.\r\nDay 3 - Collection, Data Staging, Data Exfiltration\r\nhttps://www.huntress.com/blog/investigating-new-inc-ransom-group-activity\r\nPage 1 of 5\n\nOn day three, the Huntress team observed an RDP login to Server 2, via previously observed credentials, during\r\nwhich there are numerous 7-Zip archival commands to collect and stage data for exfiltration.\r\nThe 7-Zip commands all followed the same format:\r\n7.exe  a -mx3 -xr!*.exe -xr!*.mp4 -xr!*.wmv -xr!*.mov -xr!*.avi -xr!*.MXF -xr!*.MTS -xr!*.vhd \u003carchive\r\nname\u003e \u003csource folder\u003e\r\nhttps://www.huntress.com/blog/investigating-new-inc-ransom-group-activity\r\nPage 2 of 5\n\nDuring this time, the Huntress team also observed the threat actor’s use of native tools such as Wordpad.exe,\r\nNotepad.exe, and MSPaint to view the contents of documents and image/JPEG files.\r\nFinally, the threat actor installed MEGASync on Server 2, presumably to facilitate data exfiltration.\r\nDay 4 - Collection, Data Staging, Data Exfiltration\r\nThe threat actor again accessed Server 2 via RDP and continued issuing collection and data staging commands,\r\nidentical to those observed the previous day.\r\nDay 5 \r\nThe Huntress team observed the threat actor accessing Server 3 via RDP, using previously observed credentials.\r\nThis logon session was brief, approximately six minutes, with little activity observed via EDR telemetry.\r\nDay 6\r\nNo activity was observed.\r\nDay 7 - File Encryption\r\nThe seventh day began with the threat actor accessing Server 3 via RDP, installing the Advanced IP Scanner, and\r\nshortly thereafter, moving laterally to Server 2 via RDP.\r\nDuring the logon session to Server 3, the threat actor was observed using Internet Explorer (iexplore.exe) to view\r\nfolders on other systems, as well as using mstsc.exe to (attempt to) move laterally to other systems. The threat\r\nactor also installed PuTTY.\r\nApproximately three hours after the initial logon to Server 3, the threat actor was observed running credential\r\naccess commands on all three servers, all of which were indicative of the use of lsassy.py.\r\nApproximately four hours after the initial logon to Server 3, the Huntress team observed the threat actor issuing a\r\nnumber of copy commands in rapid succession, indicative of a batch file or script, to push what was determined to\r\nbe the file encryption executable to multiple endpoints within the infrastructure. These copy commands were\r\nfollowed in rapid succession by a similar series of wmic.exe commands to launch the file encryption executable\r\non each of those endpoints. All of these commands were of the same format, illustrated by the following:\r\nwmic  /node:\"\u003cnode\u003e\" /user:\"\u003cuser\u003e\" /password:\"!Secure4u123!\" process call create \"cmd.exe /c copy \\\\\r\n\u003cnode\u003e\\c$\\windows\\temp\\\u003credacted\u003e.exe c:\\windows\\temp\\\"\r\nThe Huntress team also observed the use of PSExec to launch the file encryption executable, illustrated as\r\nfollows:\r\npsexec.exe  \\\\\u003cnode\u003e -u \u003cuser\u003e -p \"!Secure4u123!\" -d -h -r winupd -s -accepteula -nobanner\r\nc:\\windows\\temp\\\u003credacted\u003e.exe\r\nhttps://www.huntress.com/blog/investigating-new-inc-ransom-group-activity\r\nPage 3 of 5\n\nNote that in the above command, the PSExec executable was renamed to winupd when launched on the remote\r\nnode. This resulted in a System Event Log record on each endpoint where the command successfully launched the\r\nWindows service that appeared as follows:\r\nService Control Manager/7045;winupd,%SystemRoot%\\winupd.exe,user mode service,demand\r\nstart,LocalSystem\r\nFinally, there were indications on Server 3 that the threat actor had difficulty running the file encryption\r\nexecutable, as there was no indication of encrypted files, nor ransom notes, on that server. The Huntress team\r\nobserved multiple instances of the threat actor running \u003credacted\u003e.exe –debug commands, indicating the threat\r\nactor attempting to troubleshoot the file encryption executable.\r\nConclusion\r\nWhen a successful ransomware attack occurs, it is immediately impactful and disruptive to the impacted\r\norganization. However, there is often considerable activity that leads to deployment of the file encryption\r\nexecutable, such as initial access, credential access and privilege escalation, and enumeration and mapping of the\r\ninfrastructure. Where data theft (staging and exfiltration) occurs, this can very often be seen well prior to the\r\ndeployment of the file encryption executable. \r\nWhile the Huntress team was unable to discern the threat actor’s means of initial access, the investigation clearly\r\ndemonstrated considerable activity, across several key systems, over the course of a week. \r\nIndicators\r\nRansomware Executable File Name: named for the impacted organization\r\nhttps://www.huntress.com/blog/investigating-new-inc-ransom-group-activity\r\nPage 4 of 5\n\nRansomware Executable SHA256 hash: \r\naccd8bc0d0c2675c15c169688b882ded17e78aed0d914793098337afc57c289c\r\nRansomware Executable PDB string: C:\\source\\INC Encryptor\\Release\\INC Encryptor.pdb\r\nRansom Note file name: *.inc-readme.txt, *.inc-readme.html\r\nEncrypted File Extension: *.inc\r\nUse of compromised valid accounts\r\nUse of native tools (net.exe, nltest.exe, Wordpad/Notepad/MSPaint, Internet Explorer, Windows Explorer,\r\nmstsc.exe, msdt.exe)\r\nUse of additional tools (7-Zip, MEGASync, Advanced IP Scanner, Putty, lsassy.py, PSExec)\r\nMITRE ATT\u0026CK\r\nInitial Access - Valid Accounts/T1078.002\r\nExecution - Command and Scripting Interpreter/T1059.001, T1059.003; Windows Management\r\nInstrumentation/T1047\r\nPersistence - Valid Accounts/T1078.002\r\nPrivilege Escalation - Valid Accounts/T1078.002\r\nDefense Evasion - Not Observed\r\nCredential Access - OS Credential Dumping/T1003.001\r\nDiscovery - Domain Trust Discovery/T1482\r\nLateral Movement - Remote Services/T1021.001, T1021.002\r\nCollection - Archive Collected Data/T1560.001\r\nCommand and Control - Not Observed\r\nExfiltration - Exfiltration Over Web Service/T1567.002\r\nImpact - Data Encrypted For Impact/T186\r\nSpecial thanks to Josh Allman (@xorJosh), Matt Anderson (@nosecurething), Harlan Carvey (@keydet89), and\r\nAnthony Smith (@KingCrtz) for their contributions to this blog post and investigation.\r\nWant to dive into more threat actor tradecraft? Register for Tradecraft Tuesday!\r\nSource: https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity\r\nhttps://www.huntress.com/blog/investigating-new-inc-ransom-group-activity\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity"
	],
	"report_names": [
		"investigating-new-inc-ransom-group-activity"
	],
	"threat_actors": [
		{
			"id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d",
			"created_at": "2024-11-01T02:00:52.730802Z",
			"updated_at": "2026-04-10T02:00:05.330644Z",
			"deleted_at": null,
			"main_name": "INC Ransom",
			"aliases": [
				"INC Ransom",
				"GOLD IONIC"
			],
			"source_name": "MITRE:INC Ransom",
			"tools": [
				"PsExec",
				"Nltest",
				"Rclone",
				"AdFind",
				"esentutl",
				"INC Ransomware"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434798,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/207400d0525b05ed39205afd3473b26ef6176248.pdf",
		"text": "https://archive.orkl.eu/207400d0525b05ed39205afd3473b26ef6176248.txt",
		"img": "https://archive.orkl.eu/207400d0525b05ed39205afd3473b26ef6176248.jpg"
	}
}