{
	"id": "6831725f-19b5-44c8-af52-acd24be362b8",
	"created_at": "2026-04-06T01:31:33.702926Z",
	"updated_at": "2026-04-10T03:30:34.112005Z",
	"deleted_at": null,
	"sha1_hash": "69f6bfddffcc74057291661c2da45031e6c325bf",
	"title": "Dark Web Profile: INC Ransom",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56987,
	"plain_text": "Dark Web Profile: INC Ransom\r\nBy Ameer Owda\r\nPublished: 2024-01-24 · Archived: 2026-04-06 01:15:52 UTC\r\n1. Home\r\n2. Blog\r\n3. Dark Web\r\n4. Dark Web Profile: INC Ransom\r\nJan 24, 2024\r\n10 Mins Read\r\nNov 01, 2024\r\nThe digital world is constantly under the threat of cyber attacks, and the emergence of new ransomware groups\r\nonly intensifies this peril. One such group that has recently come into the spotlight is INC Ransom. This group has\r\nquickly gained notoriety for its sophisticated attacks and elusive nature. In this article, we will delve into the\r\ndetails of INC Ransom, exploring who they are, how they operate, and the implications of their activities. We will\r\nalso provide insights into the security measures that can be implemented to protect against such threats.\r\nThe threat actor card of INC Ransom\r\nWho is INC Ransom?\r\nINC. Ransomware is a relatively new but highly sophisticated cybercriminal group that has rapidly gained\r\nnotoriety in the realm of digital extortion. Emerging onto the cybercrime scene, this group has distinguished itself\r\nthrough its targeted ransomware attacks, primarily focusing on corporate and organizational networks.\r\nIllustration of INC Ransom (generated using DALL-E 3)\r\nUnlike many opportunistic ransomware operators, INC. Ransomware appears to carefully select its targets, often\r\naiming at entities with substantial financial resources and sensitive data, which makes the potential payoff from\r\ntheir ransom demands significantly higher.\r\nThe group’s modus operandi involves a combination of advanced techniques, including spear-phishing campaigns\r\nto gain initial access, exploitation of known vulnerabilities (such as CVE-2023-3519 in Citrix NetScaler), and the\r\nuse of both Commercial Off-The-Shelf (COTS) softwares and legitimate system tools (LOLBINs) for\r\nreconnaissance and lateral movement within a network. This approach not only demonstrates their technical\r\nprowess but also their ability to stay under the radar, making detection and prevention more challenging.\r\nhttps://socradar.io/dark-web-profile-inc-ransom/\r\nPage 1 of 6\n\nINC. Ransomware’s attacks are not just limited to encryption and locking of data; they also involve data theft and\r\nthreats of public release, a tactic known as double extortion. This method adds an additional layer of pressure on\r\nthe victims to comply with the ransom demands, as it puts at risk not just the accessibility of the data but also its\r\nconfidentiality.\r\nHow does INC Ransom attack?\r\nINC. Ransom employs a sophisticated and multi-staged approach to infiltrate and compromise target systems.\r\nTheir attack methodology combines initial access through spear-phishing or exploiting vulnerabilities, such\r\nas CVE-2023-3519 in Citrix NetScaler, with a series of calculated steps to establish control and execute their\r\nransomware. Here’s an overview of their attack process:\r\nInitial Access and Reconnaissance: The group begins by gaining initial access, either through spear-phishing\r\nemails or by targeting vulnerable services. Once inside, they use a variety of tools for internal reconnaissance and\r\nlateral movement. These tools include NETSCAN.EXE for network scanning, MEGAsyncSetup64.EXE for file\r\nsharing and synchronization, ESENTUTL.EXE for database management, and AnyDesk.exe for remote desktop\r\ncontrol.\r\nExploiting Remote Desktop Protocol (RDP): INC. Ransom frequently uses compromised credentials to access\r\nsystems via RDP. During these sessions, they perform enumeration activities such as scanning for domain admins\r\nand testing network connections. This phase often involves brief connections to multiple servers, indicating a\r\nsearch for vulnerable points within the network.\r\nData Collection and Staging: Over the course of their attack, they abused legitimate software to collect and stage\r\ndata for exfiltration. This involves using 7-Zip archival commands to gather data and employing native tools like\r\nWordpad, Notepad, and MSPaint to inspect the contents of documents and images. They also install MEGASync\r\non servers, presumably to facilitate the transfer of stolen data.\r\nLateral Movement and Credential Access: The attackers move laterally across the network, accessing multiple\r\nservers. They use tools like Advanced IP Scanner and Internet Explorer to explore the network and identify\r\nadditional targets. During this phase, they also run credential access commands, indicative of using tools like\r\nlsassy.py, to extract login credentials from the systems.\r\nFile Encryption and Deployment: The final stage involves deploying the ransomware. They use a combination\r\nof wmic.exe and PSExec (disguised as winupd) to launch the file encryption executable across multiple endpoints.\r\nThis phase is characterized by rapid command execution, indicating the use of batch files or scripts to automate\r\nthe encryption process.\r\nTroubleshooting and Adaptation: Interestingly, there are instances where the attackers encounter difficulties,\r\nsuch as the inability to run the encryption executable on certain servers. This is evidenced by multiple attempts to\r\nexecute the ransomware with debug commands, showcasing their adaptability and persistence in overcoming\r\nchallenges.\r\nTOR Site of INC Ransom\r\nhttps://socradar.io/dark-web-profile-inc-ransom/\r\nPage 2 of 6\n\nThe first thing that caught our attention when we visited INC. Ransom’s TOR site was the dark and light modes:\r\nINC Ransom TOR site in dark mode (Source: X)\r\nLooking at the site in general, there is a section on the left side that leads to Leaks, a “Submit a Feedback” section,\r\nand a Twitter icon where “INC Ransom” is searched on Twitter when clicked. The rest of the page contains\r\nannouncements made by INC. Ransom:\r\nINC Ransom’s TOR site\r\nClicking on any leak announcement, a short description, the domain address of the victim organization, and proofs\r\nof the data leak, if any, can be found on the detail page.\r\nDecatur’s, one of the INC. Ransom’s victim, detailed Leak page\r\nAdditionally, the incapt[.]blog page that INC. Ransom has recently included on its page and where current leak\r\nannouncements can be followed on the surface web:\r\nINC Ransom’s Leak Announcements\r\nWhat are the targets of INC Ransom?\r\nTargeted Sectors\r\nLooking at the industries in which INC. Ransom’s victim organizations work, the majority are in Professional\r\nServices, Manufacturing and Construction:\r\nINC. Ransom’s Targeted Sectors\r\nTargeted Countries\r\nThe majority of the organizations targeted by “INC. Ransom” are based in North America and Europe:\r\nINC. Ransom Targeted Countries\r\nIn terms of distribution, it is observed that “INC. Ransom” mostly targets organizations operating in the United\r\nStates(57.9%):\r\nTargets Distribution\r\nLatest Activities of INC Ransomware\r\nTrylon:\r\nTrylon\r\nSpringfield:\r\nSpringfield\r\nhttps://socradar.io/dark-web-profile-inc-ransom/\r\nPage 3 of 6\n\nConclusion\r\nThe emergence and activities of the INC. Ransom group represent a significant threat in the cybersecurity\r\nlandscape. Their sophisticated and multi-layered attack methodology, which includes exploiting vulnerabilities,\r\nusing a mix of commercial and legitimate tools for reconnaissance and lateral movement, and executing a\r\ncarefully planned ransomware deployment, highlights the evolving nature of cyber threats.\r\nINC. Ransom’s ability to adapt and troubleshoot during their attacks, as well as their strategic use of tools for data\r\ncollection, staging, and encryption, demonstrate a high level of technical expertise and planning.\r\nSecurity Recommendations Against INC Ransom\r\nTo defend against the sophisticated tactics of INC. Ransom, organizations need to adopt a multi-layered security\r\napproach. Here are some key recommendations to enhance cybersecurity defenses against such ransomware\r\nthreats:\r\nRegularly Update and Patch Systems: Ensure that all software, especially critical and widely-used applications\r\nlike Citrix NetScaler, are regularly updated and patched. This helps to close vulnerabilities that could be exploited\r\nby ransomware groups.\r\nEnhanced Email Security: Since spear-phishing is a common initial access vector, implement advanced email\r\nsecurity solutions. These should include phishing detection, sandboxing for email attachments, and user training to\r\nrecognize and report suspicious emails.\r\nRobust Endpoint Protection: Deploy advanced Endpoint Protection Platforms (EPP) that can detect, prevent,\r\nand respond to threats using techniques like behavioral analysis and machine learning.\r\nNetwork Segmentation and Monitoring: Segment your network to limit lateral movement by attackers. Use\r\nIntrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to monitor network traffic for\r\nsuspicious activities.\r\nImplement Multi-Factor Authentication (MFA): MFA adds an extra layer of security for accessing sensitive\r\nsystems and data, making it harder for attackers to gain access even if they have compromised credentials.\r\nRegular Backups and Data Encryption: Regularly back up critical data and ensure it’s stored securely,\r\npreferably off site or in the cloud. Encrypt sensitive data to add an additional layer of protection.\r\nIncident Response Planning: Have a well-defined incident response plan that includes procedures for isolating\r\naffected systems, eradicating the ransomware, and restoring data from backups.\r\nEmployee Awareness and Training: Regularly train employees on cybersecurity best practices, including how to\r\nrecognize phishing attempts and the importance of using strong, unique passwords.\r\nUse of Advanced Threat Intelligence: Stay informed about the latest ransomware tactics and Indicators of\r\nCompromise (IoCs) through threat intelligence feeds and cybersecurity reports.\r\nhttps://socradar.io/dark-web-profile-inc-ransom/\r\nPage 4 of 6\n\nRegular Security Audits and Vulnerability Assessments: Conduct regular security audits and vulnerability\r\nassessments to identify and mitigate potential security gaps in your network and systems.\r\nMITRE ATT\u0026CK TTPs of INC Ransom\r\nTactic Technique\r\nTechnique\r\nID\r\nTool/Procedure Notes\r\nInitial Access Spear-Phishing T1566\r\nSpear-Phishing\r\nEmails\r\nGains initial access through\r\ntargeted emails.\r\nExploitation of\r\nPublic-Facing\r\nApplication\r\nT1190 CVE-2023-3519\r\nExploiting known\r\nvulnerabilities in public-facing applications.\r\nExecution\r\nCommand and\r\nScripting\r\nInterpreter\r\nT1059 Wmic.exe, PSExec\r\nUses command-line tools to\r\nexecute scripts for\r\nransomware deployment.\r\nPersistence Valid Accounts T1078\r\nRDP with\r\nCompromised\r\nCredentials\r\nMaintains access using\r\nRemote Desktop Protocol\r\nwith stolen credentials.\r\nPrivilege\r\nEscalation\r\nExploitation for\r\nPrivilege Escalation\r\nT1068 RDP\r\nEscalates privileges\r\nthrough compromised\r\nRemote Desktop Protocol\r\nconnections.\r\nDefense\r\nEvasion\r\nObfuscated Files or\r\nInformation\r\nT1027\r\nPSExec disguised as\r\nwinupd\r\nHides its activities by\r\ndisguising tools and\r\ncommands.\r\nCredential\r\nAccess\r\nCredential\r\nDumping\r\nT1003 Lsassy.py\r\nExtracts credentials from\r\nthe systems they\r\ncompromise.\r\nDiscovery\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nT1016\r\nNETSCAN.EXE,\r\nAdvanced IP Scanner\r\nScans the network to\r\ndiscover configurations and\r\nconnected systems.\r\nLateral\r\nMovement\r\nRemote Services:\r\nRemote Desktop\r\nProtocol\r\nT1021.001 AnyDesk.exe\r\nMoves within the network,\r\noften using remote desktop\r\nsoftware.\r\nCollection Data Staged T1074 7-Zip, MEGASync Collects and stages data for\r\nexfiltration using archival\r\nhttps://socradar.io/dark-web-profile-inc-ransom/\r\nPage 5 of 6\n\nand file transfer tools.\r\nExfiltration\r\nData Encrypted for\r\nImpact\r\nT1486 Custom Ransomware\r\nEncrypts files for ransom,\r\nand may exfiltrate data for\r\ndouble extortion.\r\nCommand\r\nand Control\r\nIngress Tool\r\nTransfer\r\nT1105\r\nMEGASync,\r\nAnyDesk.exe\r\nUses legitimate tools for\r\ncommand and control\r\nactivities.\r\nImpact Data Destruction T1485 Custom Ransomware\r\nDestroys or encrypts data,\r\nrendering it inaccessible.\r\nSource: https://socradar.io/dark-web-profile-inc-ransom/\r\nhttps://socradar.io/dark-web-profile-inc-ransom/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://socradar.io/dark-web-profile-inc-ransom/"
	],
	"report_names": [
		"dark-web-profile-inc-ransom"
	],
	"threat_actors": [
		{
			"id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d",
			"created_at": "2024-11-01T02:00:52.730802Z",
			"updated_at": "2026-04-10T02:00:05.330644Z",
			"deleted_at": null,
			"main_name": "INC Ransom",
			"aliases": [
				"INC Ransom",
				"GOLD IONIC"
			],
			"source_name": "MITRE:INC Ransom",
			"tools": [
				"PsExec",
				"Nltest",
				"Rclone",
				"AdFind",
				"esentutl",
				"INC Ransomware"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439093,
	"ts_updated_at": 1775791834,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/69f6bfddffcc74057291661c2da45031e6c325bf.pdf",
		"text": "https://archive.orkl.eu/69f6bfddffcc74057291661c2da45031e6c325bf.txt",
		"img": "https://archive.orkl.eu/69f6bfddffcc74057291661c2da45031e6c325bf.jpg"
	}
}