Ransomware Group
INC Ransom
Also known as: INC Ransomware, Inc Ransom
Status: active • First seen 2023-07 • 100+ known victims
INC Ransom is a newer gang that's been hitting healthcare and schools hard. They do their homework before attacking - spending time learning about their victims before striking. They use the typical playbook: steal data first, then encrypt, then demand payment or threaten to leak. They're growing fast.
Overview
INC Ransom is a relatively new ransomware operation that has rapidly targeted a wide range of organizations. They employ a double extortion model and are known for detailed reconnaissance before deploying ransomware. The group has shown particular interest in healthcare and education sectors.
Target Industries
Healthcare, Education, Government, Manufacturing, Professional Services, Technology
How They Attack
- • Exploiting Citrix NetScaler vulnerabilities
- • Spear-phishing campaigns
- • Using legitimate tools for persistence
- • MEGA cloud storage for exfiltration
- • Detailed pre-attack reconnaissance
Notable Victims
NHS Dumfries and Galloway (2024), Xerox Business Solutions (2023), Multiple healthcare organizations, Various educational institutions
Is your business exposed?
How to Protect Against INC Ransom
- 1.
Patch Citrix NetScaler CVE-2023-4966 (Citrix Bleed)
- 2.
Block MEGA.io and similar cloud services if not needed
- 3.
Monitor for network reconnaissance activity
- 4.
Implement canary files to detect pre-encryption activity
- 5.
Healthcare: follow HHS HC3 INC Ransom guidance
MITRE ATT&CK Techniques
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required