Intruvent Technologies
Contact us
Critical Ransomware-as-a-Service Active Double Extortion TLP:CLEAR

INC Ransom

Prolific RaaS Operation Targeting Healthcare, Government, and Critical Infrastructure

GOLD IONIC G1032 Vanilla Tempest DEV-0832

INC Ransom is a prolific Ransomware-as-a-Service (RaaS) operation that has compromised over 300+ organizations in 2025, becoming the most deployed ransomware by victim count. The group uses double-extortion tactics, targeting healthcare, education, government, and critical infrastructure globally.

300+
Victims in 2025
162
Victims in 2024
#1
Most Deployed Jul 2025
11/mo
Average Victim Rate
🛡️

OPSEC Failure - Data Recovery (January 2026)

An operational security failure with reused Restic backup infrastructure allowed data recovery for 12 US organizations. INC remains active and dangerous despite this lapse.

1

Attribution & Identity

ATTRIBUTION CONFIDENCE: MEDIUM-HIGH

INC Ransom is tracked by Secureworks as GOLD IONIC. Microsoft tracks affiliated operator Vanilla Tempest (formerly DEV-0832, Vice Society). The group is suspected to be Eastern European in origin but no definitive attribution has been made. INC operates as a Ransomware-as-a-Service (RaaS), with multiple affiliates deploying the ransomware using double-extortion tactics. MITRE ATT&CK tracks the group as G1032 and the software as S1139.

INC Ransom emerged in July 2023 as a double-extortion ransomware group. The group initially appeared to operate as a closed group before transitioning to a Ransomware-as-a-Service model. Since emergence, INC has successfully extorted an average of 11 organizations per month.

In 2024, 162 victims were publicly claimed. In 2025, activity intensified dramatically with 300+ victims published, peaking in July 2025 when INC was the most deployed ransomware by victim count. The group maintains both Windows and Linux/ESXi variants of their ransomware.

In March 2024, the INC source code was listed for sale on underground forums (Exploit, XSS) by the user "salfetka" for $300,000 (Windows + Linux/ESXi builder, panel source code, limited to 3 buyers). This led to the emergence of Lynx ransomware as a derivative, though INC itself continues active operations. In January 2026, an operational security failure with reused Restic backup infrastructure allowed data recovery for 12 US organizations.

Known Aliases

INC Ransom GOLD IONIC G1032 (MITRE) S1139 (MITRE) Vanilla Tempest (affiliate) DEV-0832 (former)
Origin
Eastern European (suspected)
Active Since
July 2023
Model
RaaS (Double Extortion)
Sophistication
Moderate-High
Total Victims (2025)
300+
Platforms
Windows, Linux, ESXi
2

Targeting Profile

INC Ransom primarily targets healthcare, education, and government organizations, with a strong focus on the United States and United Kingdom. The group is opportunistic but shows a pattern of targeting organizations with high-value data and limited security maturity.

Industries

  • Healthcare & Public Health (primary)
  • Education
  • Technology
  • Government Services & Facilities
  • Critical Manufacturing
  • Defense Industrial Base
  • Emergency Services
  • Chemical Sector
  • Financial Services

Regions

  • United States (primary)
  • United Kingdom (NHS, councils)
  • Europe
  • Global (opportunistic)

Technologies Exploited

  • Citrix NetScaler ADC/Gateway
  • Fortinet FortiClient EMS
  • Fortinet FortiOS/FortiGate
  • VMware ESXi
  • Microsoft Hyper-V
  • Active Directory
  • VPN/SSL VPN infrastructure
3

Signature Tradecraft (TTPs)

MITRE ATT&CK Techniques

Initial Access

  • Exploit Public-Facing Application T1190
  • Spearphishing Attachment T1566.001
  • Valid Accounts T1078
  • External Remote Services T1133

Execution

  • WMI T1047
  • PowerShell T1059.001
  • Windows Command Shell T1059.003
  • Service Execution T1569.002

Persistence

  • Scheduled Task T1053.005
  • Remote Access Software T1219

Privilege Escalation

  • Exploitation for Priv Esc T1068
  • Kerberoasting T1558.003

Credential Access

  • OS Credential Dumping T1003
  • Credentials from Password Stores T1555
  • Pass the Hash T1550.002

Defense Evasion

  • Impair Defenses T1562.001
  • Obfuscated Files T1027
  • Clear Event Logs T1070.001
  • Modify Registry T1112

Discovery

  • Remote System Discovery T1018
  • Network Config Discovery T1016
  • Domain Trust Discovery T1482

Lateral Movement

  • Remote Desktop Protocol T1021.001
  • Lateral Tool Transfer T1570

Exfiltration & Impact

  • Exfil to Cloud Storage T1567.002
  • Data Encrypted for Impact T1486
  • Inhibit System Recovery T1490
  • Service Stop T1489

Notable Techniques

  • Kerberoasting for Domain Admin: In a documented case by HvS-Consulting, INC operators performed Kerberoasting to crack the Domain Administrator password within 48 hours of initial access, enabling rapid domain-wide compromise.
  • Exfiltration-only attacks: ReliaQuest documented cases where INC affiliates exfiltrated data without deploying encryption, indicating a shift toward pure extortion in some engagements.
  • Restart Manager API abuse: INC ransomware uses the Windows Restart Manager API (RmStartSession, RmRegisterResources) to unlock files held by other processes before encryption, maximizing impact. (Source: ANY.RUN)
  • Dual platform targeting: Both Windows and Linux/ESXi variants exist; the ESXi variant contains scripts to terminate virtual machines before encryption. (Source: MOXFIVE)
  • Multiple initial access vectors: INC affiliates exploit CVE-2023-3519 (Citrix), CVE-2023-48788 (Fortinet EMS), FG-IR-24-535 (FortiOS), and use phishing and initial access brokers, demonstrating operational flexibility.
INC Ransom Attack Chain
Typical attack progression based on incident response observations
STEP 1: INITIAL ACCESS
  • Exploit Citrix NetScaler (CVE-2023-3519) or Fortinet appliance (CVE-2023-48788, FG-IR-24-535)
  • Alternatively: spearphishing, Gootloader SEO poisoning, or purchased credentials from IABs
  • Install AnyDesk/ScreenConnect for persistent remote access
STEP 2: DISCOVERY & CREDENTIAL ACCESS
  • Network scanning via netscan.exe, AdFind, Advanced IP Scanner
  • Domain enumeration with nltest.exe, net.exe
  • Kerberoasting for Domain Admin credentials
  • Credential dumping via lsassy.py, secretsdump.py
STEP 3: LATERAL MOVEMENT & DEFENSE EVASION
  • RDP lateral movement with Domain Admin accounts
  • Pass-the-hash attacks via Impacket wmiexec.py
  • Disable security tools with ProcTerminator/ProcessHacker
  • Clear Windows Event Logs
STEP 4: DATA EXFILTRATION
  • Stage data with 7-Zip/WinRAR
  • Exfiltrate via MEGASync, Rclone (with include.txt), or Restic
  • Terabytes of data transferred to attacker-controlled cloud storage
STEP 5: RANSOMWARE DEPLOYMENT & EXTORTION
  • Deploy INC ransomware via PsExec to Windows hosts and ESXi/Hyper-V
  • Delete shadow copies, terminate services via Restart Manager API
  • Encrypt files with .INC extension, drop INC-README.TXT/HTML
  • Double extortion: pay or data published on leak site
4

Tooling & Infrastructure

Known Malware Families

Name Type First Seen Description
INC Ransomware (Windows) Ransomware July 2023 Primary encryptor; appends .INC extension; AES encryption
INC Ransomware (Linux/ESXi) Ransomware December 2023 Cross-platform variant for VMware infrastructure; terminates VMs before encryption
Meterpreter (p443x64.exe) Reverse Shell 2023 C2 beacon dropper observed by Secureworks
Supper Backdoor Backdoor 2024 Deployed by Vanilla Tempest affiliate chain
Gootloader Initial Access Loader 2024 SEO poisoning loader used by Vanilla Tempest for healthcare targeting

Legitimate Tool Arsenal

Tool Purpose
PsExec Remote execution, ransomware deployment
AnyDesk / ScreenConnect / TightVNC Remote access and persistence
PuTTY SSH remote access
MEGASync / Rclone / Restic Data exfiltration to cloud storage
7-Zip / WinRAR Data staging (archiving before exfiltration)
AdFind / Advanced IP Scanner / netscan.exe Network and Active Directory reconnaissance
Impacket (wmiexec.py, secretsdump.py) Lateral movement, credential dumping
lsassy.py LSASS credential extraction
ProcTerminator / ProcessHacker Security process termination

Infrastructure

  • Leak Site: TOR-based data leak site for publishing victim data
  • Payment Portal: inc-decrypt[.]onion (TOR-based negotiation)
  • Communication: Tox ID included in ransom notes as alternative contact
  • Exfiltration: MEGA cloud storage accounts, Rclone-configured cloud endpoints, Restic backup infrastructure

Download Full Threat Actor Profile

Complete technical analysis including IOCs, detection rules, and MITRE ATT&CK mapping.

Download PDF — Free
5

Notable Campaigns & Timeline

Timeline of Key Events

INC Ransom Emerges

July 2023 Ransomware Global

First attacks observed; group begins listing victims on leak site.

Peak Activity & Linux Variant Released

December 2023 124 Attempts Linux/ESXi

124 attack attempts detected by Trend Micro; Linux/ESXi variant released expanding the attack surface to virtualized infrastructure.

NHS Scotland Attack & Source Code Sale

March 2024 3TB Stolen Healthcare $300K Source Code

3TB stolen from NHS Scotland. Source code listed for $300K on Exploit/XSS forums by user "salfetka".

Leicester City Council

April 2024 1.3TB Leaked Government

1.3TB data leaked from UK local government council.

Lynx Ransomware Emerges

July 2024 Derivative

Derivative ransomware based on purchased INC source code appears, demonstrating the proliferation risk of source code sales.

Vanilla Tempest Healthcare Campaign

Aug-Sep 2024 Multiple US Hospitals Healthcare

Microsoft-tracked Vanilla Tempest (formerly Vice Society) adopted INC ransomware to systematically target US healthcare organizations using Gootloader initial access and Supper backdoor deployment.

Activity Surges: 300+ Victims

2025 #1 Most Deployed Global

INC becomes the most deployed ransomware by victim count in July 2025, with 300+ victims published throughout the year.

CodeRED Emergency Alert Attack

November 2025 $950K Demanded Emergency Services

Nationwide emergency alert platform attacked; $950K demanded. Forced decommissioning of legacy infrastructure affecting emergency communication capabilities nationwide.

OPSEC Failure

January 2026 Data Recovery

Reused Restic infrastructure enables data recovery for 12 US organizations. An operational security lapse that provided a rare win for defenders.

High-Profile Attacks

NHS Scotland / Dumfries & Galloway

3TB Data Stolen Healthcare United Kingdom
March 2024

3TB of data stolen from the Scottish NHS trust serving the Dumfries and Galloway region, including patient records and operational data.

Source: The Register

Vanilla Tempest Healthcare Campaign

Multiple US Hospitals Healthcare United States
Aug-Sep 2024

Microsoft-tracked Vanilla Tempest (formerly Vice Society) adopted INC ransomware to systematically target US healthcare organizations using Gootloader initial access and Supper backdoor deployment.

Source: Microsoft Threat Intelligence (via BleepingComputer)

OnePoint Patient Care

1.74M Individuals Affected Healthcare United States
October 2024

Breach affecting 1.74 million individuals at a hospice and palliative care pharmacy provider, representing one of the largest healthcare breaches attributed to INC.

Source: Halcyon

Stark Aerospace

4TB Claimed Defense Industrial Base United States
2025

US missile systems and aerial weapons manufacturer. 4TB of data claimed stolen including source code, design plans, employee passports, and UAV firmware. Significant national security concern.

Source: Intruvent victim data

Compass Health Network

500K Sensitive Records Healthcare United States
2025-2026

Mental health provider compromised with 500,000 sensitive records exposed, including therapy notes and psychiatric diagnoses.

Source: Intruvent victim data

OnSolve CodeRED Emergency Alert System

$950K Demanded Plaintext Passwords Exfiltrated Emergency Services
November 2025

Nationwide emergency alert platform attacked with a $950,000 ransom demand. Customer data exfiltrated including plaintext passwords. Forced decommissioning of legacy infrastructure affecting emergency communication capabilities nationwide.

Source: Intruvent victim data

6

Detection & Response

Detection Opportunities

Ransomware Indicators

  • Monitor for .INC file extension changes at volume
  • Alert on INC-README.TXT and INC-README.HTML creation
  • Detect INC_Update scheduled task creation
  • Detect Restart Manager API usage at scale
  • Monitor for shadow copy deletion commands

Credential & Lateral Movement

  • Alert on Kerberoasting activity (TGS requests)
  • Detect pass-the-hash attempts
  • Monitor for lsassy.py and secretsdump.py
  • Watch for PsExec and WMI-based lateral movement
  • Detect anomalous RDP sessions

Defense Evasion

  • Watch for repeated svchost.exe AV quarantine
  • Monitor for ProcTerminator/ProcessHacker
  • Detect Windows Defender disablement
  • Alert on Event Log clearing
  • Monitor security-related registry changes

Exfiltration & Remote Access

  • Watch for MEGASync, Rclone, or Restic on servers
  • Detect rogue RMM tools (AnyDesk, ScreenConnect)
  • Monitor large 7-Zip/WinRAR archiving operations
  • Alert on unusual outbound data transfers
  • Monitor for include.txt Rclone config

Defensive Recommendations

Patch Critical Appliances

Patch Citrix NetScaler and Fortinet appliances immediately. CVE-2023-3519, CVE-2023-4966, CVE-2023-48788, and FG-IR-24-535 are actively exploited by INC affiliates.

Enforce MFA on Remote Access

Implement MFA on all VPN/remote access. Prevent credential-based initial access that INC affiliates commonly leverage.

Restrict RDP & Segment Networks

Restrict RDP to authorized systems only and implement network segmentation to contain blast radius, especially for healthcare environments.

Monitor RMM & Backups

Allowlist approved RMM tools and alert on unauthorized AnyDesk, ScreenConnect, TightVNC. Maintain offline/immutable backups and test recovery regularly.

Enhance Telemetry

Enable PowerShell script block logging and WMI monitoring. Deploy Sysmon for enhanced endpoint telemetry covering process, network, and file activity.

A

Appendix: Indicators of Compromise

IOC Sourcing: Indicators sourced from MITRE ATT&CK, Secureworks, Trend Micro, Huntress, ANY.RUN, and AlienVault OTX. IOC currency verified: February 2026.

Important: Each INC locker executable contains a victim-specific ID, making file hashes unreliable for cross-victim detection. Focus on behavioral indicators as primary detection mechanisms. (Source: ANY.RUN)

File Hashes (SHA256)

SHA256 Context Source
63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7 Linux ELF variant Trend Micro
a0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5 Linux ELF variant Trend Micro
c41ab33986921c812c51e7a86bd3fd0691f5bba925fae612f1b717afaa2fe0ef Linux ELF variant Trend Micro
3dd6fab5ec9444ef7d2f4d2a744b3a4efa1420e346b47efae34145a2aa3b7508 Windows variant AlienVault OTX

File Indicators

Type Value Context
Extension .INC Encrypted file extension
Ransom Note INC-README.TXT Text note, dropped in every directory
Ransom Note INC-README.HTML HTML note, dropped in every directory
PDB String C:\source\INC Encryptor\Release\INC Encryptor.pdb Embedded in Windows variants
Executable win.exe Ransomware binary
Executable p443x64.exe Meterpreter dropper
Config File include.txt Rclone exfiltration target list
Scheduled Task INC_Update Persistence mechanism

Network Indicators

Type Value Context
Onion Domain inc-decrypt[.]onion Payment/negotiation portal
B

Appendix: References

Primary Intelligence Sources

Secondary Sources

  • [7] Huntress - Investigating INC Ransom Group Activity - Huntress Blog
  • [8] ReliaQuest - Inc Ransom Attack Analysis - ReliaQuest Blog
  • [9] HvS-Consulting - INC Ransom FortiGate Exploit - HvS-Consulting
  • [10] MOXFIVE - Threat Actor Spotlight: INC Ransom - MOXFIVE
  • [11] Cybereason - Threat Alert: INC Ransomware - Cybereason Blog
  • [12] Blackpoint Cyber - INC Ransom Threat Profile - Blackpoint Cyber
  • [13] SentinelOne - Inc. Ransomware Analysis - SentinelOne
  • [14] Check Point - Inc. Ransom Detection and Prevention - Check Point
  • [15] ANY.RUN - INC Ransomware Overview - Medium / ANY.RUN
  • [16] BleepingComputer - INC Source Code Sale - BleepingComputer
  • [17] Cyble - INC Ransom Threat Actor Profile - Cyble
  • [18] SOCRadar - Dark Web Profile: INC Ransom - SOCRadar
  • [19] Halcyon - INC Ransom Threat Group - Halcyon

Related Resources

Track INC Ransom with BRACE

BRACE delivers monthly sector-specific threat intelligence covering INC Ransom activity, including:

  • Ransomware campaign analysis and victim tracking
  • Detection rules for INC-specific behavioral indicators
  • MITRE ATT&CK mappings for ransomware TTPs
  • Healthcare and critical infrastructure threat briefings
  • IOCs, YARA rules, and Sigma detection queries
Learn More About BRACE Request Demo

Download Complete INC Ransom Intelligence

Get the full threat actor profile including IOCs, detection queries, and MITRE ATT&CK mapping.

Download PDF — Free

Related Intelligence

Critical Threat Actor

Qilin Ransomware

RaaS group targeting healthcare and critical infrastructure with double-extortion tactics.

View Profile →
Critical Threat Actor

Z-Pentest

Hacktivist group targeting critical infrastructure ICS/SCADA systems.

View Profile →
High Hunting Guide

INC Ransomware Hunting Guide

Detection modules for INC Ransom behavioral indicators and TTPs.

View Guide →

Defend Against Ransomware Threats

BRACE delivers monthly threat intelligence on INC Ransom and 175+ threat groups with sector-specific detection rules, MITRE ATT&CK mapping, and hunting playbooks.