{
	"id": "594c6db8-6ba3-4914-884b-ab1089ef4c94",
	"created_at": "2026-04-06T00:18:05.520742Z",
	"updated_at": "2026-04-10T13:11:37.317164Z",
	"deleted_at": null,
	"sha1_hash": "2ed1bf32b7a8da58e10f7a6462d0f1c293b3fc1c",
	"title": "Inc. Ransom",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3845329,
	"plain_text": "Inc. Ransom\r\nArchived: 2026-04-05 19:43:22 UTC\r\nInc. Ransomware Ransomware: In-Depth Analysis, Detection, and Mitigation\r\nWhat Is Inc. Ransomware?\r\nInc. ransomware is a ransomware extortion operation that emerged in July of 2023. Operators of Inc. ransomware\r\nposition themselves as a service to their victims. Victims can then pay the ransom to ‘save their reputation’ though\r\nthe threat actors indicate their intention to reveal their methods, making the victim’s environment ‘more secure’ as\r\na result. Inc. ransomware is a multi-extortion operation, stealing victim data and threatening to leak said data\r\nonline should the victim fail to comply with their demands.\r\nWhat Does Inc. Ransomware Target?\r\nInc. ransomware operators target multiple industries with little to no discrimination. This includes attacks on\r\nhealthcare, education, and government entities. As of this writing, there are seven victims listed on the Inc.\r\nransomware TOR-based blog; two of which are in the healthcare industry. Targets in the technology industry are\r\nlisted as well.\r\nHow Does Inc. Ransomware Work?\r\nInitial access can vary. Observed methods include spear-phishing email as well as targeting of vulnerable services.\r\nThis includes the exploitation of CVE-2023-3519 in Citrix NetScaler. Once the threat actor has gained initial\r\naccess, a variety of COTS (Commercial off the Shelf) or LOLBINs are utilized to continue internal\r\nreconnaissance and lateral movement. Tools associated with Inc. ransomware operations include:\r\nNETSCAN.EXE – Multi-protocol network scanner and profiler\r\nMEGAsyncSetup64.EXE – Desktop application for MEGA file sharing/synchronization/cloud services\r\nESENTUTL.EXE – Microsoft utility for database management and recovery\r\nAnyDesk.exe – Remote management/Remote Desktop\r\nInc. ransomware payloads support multiple command-line arguments.\r\nCommands supported by Inc. ransomware include:\r\nArgument Function\r\n–file Target a file directly for encryption (path)\r\n–dir Target a directory for encryption (path)\r\n–sup Stop using process\r\nhttps://www.sentinelone.com/anthology/inc-ransom/\r\nPage 1 of 10\n\n–ens Encrypt network shares\r\n–lhd\r\nLocal hidden drives (encrypt hidden boot and recovery volumes)\r\nNote: When used, this will result in a non-bootable device.\r\n–debug Output console-style debug logging\r\nIf the threat actor omits the use of command-line arguments, the payload will simply attempt to encrypt the local\r\ndevice including all available volumes and files.\r\nInc. ransomware ransom notes are written to each folder containing encrypted items. Copies of the ransom notes\r\nare written in both .TXT and .HTML format as “INC-README.TXT” and “INC-README.HTML”,\r\nrespectively. The payloads will also attempt to output the HTML-formatted note to any connected and accessible\r\nprinters or fax machines.\r\nhttps://www.sentinelone.com/anthology/inc-ransom/\r\nPage 2 of 10\n\nIn addition, the ransomware appears to attempt to delete Volume Shadow Copies (VSS) although we were not able\r\nto reproduce this behavior in our testing.\r\nInc. ransomware victims are instructed to contact the attackers via their TOR-based portal. Each victim is assigned\r\na personal ID within their ransom notes which they are to use upon visiting the payment site.\r\nhttps://www.sentinelone.com/anthology/inc-ransom/\r\nPage 3 of 10\n\nhttps://www.sentinelone.com/anthology/inc-ransom/\r\nPage 4 of 10\n\nhttps://www.sentinelone.com/anthology/inc-ransom/\r\nPage 5 of 10\n\nThe following debug strings are present in analyzed samples of Inc. ransomware payloads.\r\nC:\\source\\INC Encryptor\\Release\\INC Encryptor.pdb\r\nHow to Detect Inc. Ransomware\r\nThe SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to Inc.\r\nransomware.\r\nhttps://www.sentinelone.com/anthology/inc-ransom/\r\nPage 6 of 10\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIn case you do not have SentinelOne deployed, detecting Inc. ransomware requires a combination of technical and\r\noperational measures designed to identify and flag suspicious activity on the network. This allows the organization\r\nto take appropriate action, and to prevent or mitigate the impact of the ransomware attack.\r\nTo detect Inc. ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which\r\nincludes the following steps:\r\n1. Use anti-malware software or other security tools capable of detecting and blocking known ransomware\r\nvariants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block\r\nsuspicious files or activities.\r\n2. Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or\r\ncommunication with known command-and-control servers.\r\n3. Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure\r\nthat all security controls are in place and functioning properly.\r\n4. Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious\r\nemails or other threats.\r\n5. Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can\r\nrestore it in case of an attack.\r\nHow to Mitigate Inc. Ransomware\r\nThe SentinelOne Singularity XDR Platform can return systems to their original state using either the Quarantine\r\nor Repair.\r\nhttps://www.sentinelone.com/anthology/inc-ransom/\r\nPage 7 of 10\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIn case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the\r\nrisk of Inc. ransomware attacks:\r\n1. Educate employees: Employees should be educated on the risks of ransomware, and on how to identify\r\nand avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report\r\nsuspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.\r\n2. Implement strong passwords: Organizations should implement strong, unique passwords for all user\r\naccounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters\r\nlong, and should include a combination of uppercase and lowercase letters, numbers, and special\r\ncharacters.\r\n3. Enable multi-factor authentication: Organizations should enable multi-factor authentication (MFA) for\r\nall user accounts, to provide an additional layer of security. This can be done through the use of mobile\r\napps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or\r\nsmart cards.\r\n4. Update and patch systems: Organizations should regularly update and patch their systems, to fix any\r\nknown vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating\r\nsystem, applications, and firmware on all devices, as well as disabling any unnecessary or unused services\r\nor protocols.\r\n5. Implement backup and disaster recovery: Organizations should implement regular backup and disaster\r\nrecovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters.\r\nThis includes creating regular backups of all data and systems, and storing these backups in a secure,\r\noffsite location. The backups should be tested regularly, to ensure that they are working, and that they can\r\nbe restored quickly and easily.\r\nINC Ransomware FAQs\r\nWhat is INC ransomware?\r\nhttps://www.sentinelone.com/anthology/inc-ransom/\r\nPage 8 of 10\n\nINC ransomware was seen in mid-2023 and targets small and medium-sized enterprises. It follows a “spray-and-pray” strategy, infecting anything it can. When you pay, attackers send a decryption tool but frequently leave\r\nbackdoors open to future attacks. INC is spread through spear phishing attacks and exploit kits. Yamaha Motor’s\r\nPhilippine motorcycle manufacturing subsidiary was one of its most prominent victims.\r\nWhich sectors does INC ransomware most commonly target the sectors?\r\nINC targets healthcare, educational, and retail sectors. They do not generally possess world-class cybersecurity\r\nprotections for these sectors. If your company uses outdated software or poor-quality email security, INC\r\noperators will use these vulnerabilities to infiltrate your systems.\r\nWhat does the INC ransomware encrypt?\r\nINC uses AES-256 encryption in CBC mode with a custom extension. It will terminate processes like Microsoft\r\nOffice or Outlook to encrypt open files. The ransomware deletes backup files with extensions like.bak or.tmp to\r\nhinder recovery. It will also use HackTool.Win32.ProcTerminator.A for defense evasion and\r\nHackTool.PS1.VeeamCreds for credential access.\r\nWhich is the extension added to encrypted files by the INC ransomware?\r\nINC attaches the encrypted extension to the encrypted files. Ransom messages named INC_README.txt are\r\ndropped in all infected directories. The message has a Tox ID for contacting them and warns users against\r\ninvolving the police.\r\nWhat are the indicators of compromise (IOCs) for INC ransomware?\r\nYou can look for. Encrypted files, ransom notes, and PowerShell scripts that alter your registry keys. INC has\r\nscheduled tasks titled “INC_Update” to ensure persistence. Traffic to URLs such as inc-decrypt[.]onion or\r\nChinese IPs are other IOCs.\r\nHow does an organisation detect an INC ransomware attack?\r\nSearch for unexpected file renames and disabled backup schedules. Use SIEM tools to alert you to unusual\r\nregistry usage or PowerShell executions. If you notice repeated quarantines of svchost.exe versions in your\r\nantivirus logs, it can be a sign of INC attempting to evade detection.\r\nWhat are the preventative measures that can thwart INC ransomware?\r\nBlock email attachment macros and limit PowerShell runs—patch firewalls and VPNs to prevent exploit kit\r\nattacks. Train employees to recognise phishing baits and run ransomware simulations to test incident response\r\nplans. Store data in immutable storage so that INC cannot delete it.\r\nWhat can organisations do immediately when they notice an INC ransomware attack?\r\nhttps://www.sentinelone.com/anthology/inc-ransom/\r\nPage 9 of 10\n\nShut down infected systems to avoid further encryption. Capture memory dumps for analysis and identify the\r\ninitial attack vector. Restore data from offline backups and reimage infected systems. If the INC data was\r\ncompromised, expect it to be leaked, and prepare breach notifications for the affected customers.\r\nSource: https://www.sentinelone.com/anthology/inc-ransom/\r\nhttps://www.sentinelone.com/anthology/inc-ransom/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/anthology/inc-ransom/"
	],
	"report_names": [
		"inc-ransom"
	],
	"threat_actors": [
		{
			"id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d",
			"created_at": "2024-11-01T02:00:52.730802Z",
			"updated_at": "2026-04-10T02:00:05.330644Z",
			"deleted_at": null,
			"main_name": "INC Ransom",
			"aliases": [
				"INC Ransom",
				"GOLD IONIC"
			],
			"source_name": "MITRE:INC Ransom",
			"tools": [
				"PsExec",
				"Nltest",
				"Rclone",
				"AdFind",
				"esentutl",
				"INC Ransomware"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434685,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ed1bf32b7a8da58e10f7a6462d0f1c293b3fc1c.pdf",
		"text": "https://archive.orkl.eu/2ed1bf32b7a8da58e10f7a6462d0f1c293b3fc1c.txt",
		"img": "https://archive.orkl.eu/2ed1bf32b7a8da58e10f7a6462d0f1c293b3fc1c.jpg"
	}
}