THREAT ACTOR

INC Ransom

7
THREAT LEVEL
EMERGENCE DATE
Jul 2023
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Operated by GOLD IONIC (MITRE ATT&CK tracking), Vanilla Tempest operations (formerly DEV-0832), Storm-0494 partnership for initial access provision through GootLoader infections

DEscription

INC Ransom emerged as a ransomware-as-a-service operation in July 2023. The group operates with a business-like approach, framing their attacks as security services while conducting financially motivated operations. Following the sale of their source code for approximately $300,000 in March 2024, INC Ransom evolved through derivative operations, most notably Lynx ransomware, which shares over 70% code similarity.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS)

INC Ransom operates as GOLD IONIC according to MITRE ATT&CK tracking, with documented partnerships including Storm-0494 for initial access provision through GootLoader infections. Microsoft Threat Intelligence tracks significant affiliate activity through Vanilla Tempest (formerly DEV-0832), which adopted INC Ransom as their primary payload in August 2024 after previously using BlackCat, Quantum Locker, Zeppelin, and Rhysida.

Current Status: Active as of 2025, with continued claims in Q2, ongoing operations through the Lynx ransomware derivative, and documented affiliate relationships as of September 2025.

Threat Level:
7

Origins and Methodology

INC Ransom distinguishes itself in the ransomware landscape through its independent emergence rather than splintering from existing groups. Government cybersecurity sources characterize INC Ransom as a relatively new group that has rapidly gained notoriety in the realm of digital extortion. The group demonstrates careful target selection, focusing on entities with substantial financial resources and sensitive data.

The group is uniquely positioned in the ransomware ecosystem, framing their attacks as exposing security weaknesses while conducting financially motivated operations. This moral agent positioning serves as psychological manipulation while the group executes double-extortion tactics combining data encryption with theft and publication threats. The group's operations include maintaining both TOR and clearnet infrastructure for victim communications, with victims directed to log into a Tor portal using unique user IDs for ransom negotiations.

What is the Evolution of INC Ransom Ransomware?
0.1
Formation

INC Ransom emerged independently in July 2023, distinguishing itself from typical ransomware groups that splinter from established predecessors. Unlike families demonstrating clear lineage connections to earlier variants, INC Ransom appears developed as an original creation.

0.2
EVOLUTION

The group's most significant evolution occurred in March 2024 when a threat actor announced the sale of INC Ransom's complete source code on criminal underground forums for approximately $300,000. The sale included both Windows and Linux/ESXi versions with technical specifications including AES-128 in CTR mode and Curve25519 Donna algorithms. This commercialization was limited to three buyers to maintain exclusivity.

0.3
Lineage/Connections

In July 2024, Lynx ransomware emerged as the most significant derivative development from INC Ransom's commercialized source code. Binary analysis revealed approximately 70% similarity in shared functions between Lynx and INC Ransom, with overall nearly half code similarity.

Which Unique Techniques Does INC Ransom Use?

TECHNIQUE

DETAILS

Infection Vectors

Employs multiple initial access methods including exploitation of CVE-2023-3519 in Citrix NetScaler (CVSS 9.8) for unauthenticated remote code execution, exploitation of CVE-2023-48788 in FortiClient EMS for SQL injection attacks, spear-phishing campaigns with malicious attachments, and purchase of valid account credentials from Initial Access Brokers.

Target Selection

The group demonstrates strategic targeting focused on North American enterprises with substantial financial resources. Primary focus includes healthcare organizations (ranked ninth most active), educational institutions (double the industry average), government entities including municipal and federal systems, financial services in the U.S. and UK, and manufacturing organizations with over a dozen incidents in Q1 2025.

Operational Complexity

Leverages advanced operational methods utilizing several malware families to achieve different attack stages.

The group employs methodical multi-staged attack strategies encompassing comprehensive reconnaissance, lateral movement, and data exfiltration capabilities.

Key Features & Technical Details

INC Ransom's ransomware exhibits mature technical capabilities with strong encryption standards, comprehensive data theft mechanisms, and structured communication protocols. The group includes cross-platform capabilities and maintains professional negotiation infrastructure.

                                                                                                                                                                                                                     
FeatureDetails
Encryption MethodsAES-256 in CBC mode with custom extensions; also reported using AES-128 in CTR mode. Implements partial encryption combined with multi-threading where thread count equals processors × 4. Two modes: Fast encryption (1MB fixed) and Medium encryption (1MB fixed, different skip pattern)
Double ExtortionCombines traditional file encryption with comprehensive data theft using tools like MEGA synchronization. Maintains dual leak sites on TOR
Cross-PlatformRansomware written in C++ with variants for Windows, Linux, and VMware ESXi environments. Linux variant includes daemon functionality (-daemon), message of the day modification (-motd), VM skip options (-skip), and ESXi-specific targeting (-esxi)
MonetizationRaaS model with roughly three-quarters revenue to affiliates, remainder to operators. Nearly all attacks demand Bitcoin as primary payment method
CommunicationDirects victims to TOR portal using unique user IDs for negotiations. Infrastructure includes C2 domain cybersecsentinel.com (first seen February 14, 2024) and IP 154.12.242.58 with numerous domain resolutions
Behavioral PatternsUses SystemSettingsAdminFlows.exe to disable Windows Defender. Uninstalls tools after use to remove traces. Deploys volume shadow copy deletion to prevent recovery. Changes desktop wallpaper to display ransom note using Fixedsys font

Activities

Based on 89 attack claims by Inc Ransom collected in our Halcyon Attack Lookout database for the first half of 2025, healthcare organizations remain the primary target, accounting for 29% of attacks. This sector's critical patient care dependencies create urgent payment pressure, making them particularly vulnerable.

Which Industries Are Most Vulnerable to INC Ransom?

Manufacturing ranks second at 10% of incidents, as operational disruptions can cripple supply chains and production lines. Educational institutions face persistent targeting at 9% of attacks, with threat actors exploiting budget constraints and pursuing valuable research data. Government entities also attract significant attention due to their sensitive citizen data and essential service vulnerabilities.

HAL Most Recent Attacks

Modus Operandi

INC Ransom's operational methods include a multi-stage attack architecture, leveraging legitimate tools to blend malicious activities with normal system operations. The group's approach encompasses initial compromise through vulnerability exploitation or purchased access, followed by systematic reconnaissance, privilege escalation, and strategic data exfiltration before encryption deployment.

Details

T1190 - Exploit Public-Facing Application via CVE-2023-3519 (Citrix NetScaler) and CVE-2023-48788 (FortiClient EMS). T1566 - Phishing with malicious attachments. T1078 - Valid Accounts purchased from Initial Access Brokers. T1133 - External Remote Services compromise

Details

Comprehensive network reconnaissance using automated scanning tools, identification of high-value targets and sensitive data repositories, mapping of Active Directory infrastructure

Details

Deployment of various backdoors for persistent access, use of legitimate remote monitoring and management tools like AnyDesk, establishment of multiple access vectors

Details

T1562.001 - Impair Defenses using SystemSettingsAdminFlows.exe to disable Windows Defender. T1070.004 - Indicator Removal by uninstalling tools after use. T1055 - Process Injection techniques. Living-off-the-Land using MSPaint, WordPad, NotePad, Internet Explorer

Details

T1078 - Valid Accounts for persistence across multiple systems, credential harvesting from compromised systems, exploitation of service accounts

Details

Encrypted communications through TOR infrastructure, use of legitimate protocols to blend with normal traffic, multiple C2 domains including cybersecsentinel.com

Details

T1071 - Application Layer Protocol using valid accounts over RDP. T1105 - Ingress Tool Transfer downloading Advanced IP Scanner. T1570 - Lateral Tool Transfer using rapid copy commands for encryption executable distribution. Deployment via Windows Management Instrumentation (WMI) Provider Host

Details

T1074 - Data Staged on compromised hosts prior to exfiltration. T1560.001 - Archive Collected Data using 7-Zip and WinRAR. T1048 - Exfiltration Over Alternative Protocol using MEGA synchronization tools. Multi-gigabyte theft capabilities with documented large-scale exfiltration

Details

T1078 - Valid Accounts for RDP persistence. SystemSettingsAdminFlows.exe for security disabling. Remote Monitoring and Management (RMM) tools like AnyDesk. Valid compromised credentials across multiple systems

Details

T1486 - Data Encrypted for Impact using AES-256 CBC mode with partial encryption and multi-threading. T1657 - Financial Theft through data encryption and extortion. T1491.001 - Defacement changing wallpaper to ransom note. T1490 - Inhibit System Recovery through VSS deletion

Details

T1486 - Data Encrypted for Impact using AES-256 CBC mode with partial encryption and multi-threading. Implementation varies based on file types and system resources

Details

Deployment of ransom notes as RECOVER-[random letters]-FILES.txt, threats of public data disclosure on leak sites, direct contact with executives and stakeholders

Details

Removal of tools and artifacts post-encryption, deletion of event logs and forensic evidence, disabling of system restore capabilities

Indicators of Compromise (IOCs)

Key indicators help identify INC Ransom operations within networks, particularly specific file hashes, network infrastructure, and behavioral patterns tied to the ransomware ecosystem.

INDICATOR

DETAILS

File Hashes

Windows and Linux ransomware variants (SHA-256 hashes vary by version) including accd8bc0d0c2675c15c169688b882ded17e78aed0d914793098337afc57c289c, 02472036db9ec498ae565b344f099263f3218ecb785282150e8565d5cac92461, 05e4f234a0f177949f375a56b1a875c9ca3d2bee97a2cb73fc2708914416c5a9, 571f5de9dd0d509ed7e5242b9b7473c2b2cbb36ba64d38b32122a0a337d6cf8b, 82eb1910488657c78bef6879908526a2a2c6c31ab2f0517fcc5f3f6aa588b513, eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc, 80908a51e403efd47b1d3689c3fb9447d3fb962d691d856b8b97581eefc0c441, and a0ceb258924ef004fa4efeef4bc0a86012afdb858e855ed14f1bbd31ca2e42f5 (Linux variant)

IP Addresses

Known C2 IP: 154.12.242[.]58 (C2 server with numerous domain resolutions, first seen December 4, 2024)

Domains/URLs

TOR leak site: incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid[.]onion/blog/leaks, Clearnet mirrors: incapt[.]blog and incapt[.]su

File Paths

C:\ProgramData - Common staging directory for temporary files and tools

File Extensions

Encrypted files are appended with custom extensions (e.g., .FGqogsxF), ransom note: RECOVER-[seven random letters]-FILES.txt

Exploits and Vulnerabilities

INC Ransom actively exploits critical vulnerabilities in enterprise software, particularly targeting remote access and file transfer platforms to gain initial access to victim networks.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Citrix NetScaler Code Injection

CVE-2023-3519

9.8

Unauthenticated remote code execution via specially crafted HTTP requests.

Fortinet FortiClient EMS SQL Injection

CVE-2023-48788

9.8

SQL injection leading to remote code execution via xp_cmdshell functionality.