INC

INC Ransom is a financially motivated ransomware-as-a-service (RaaS) threat actor, also tracked as GOLD IONIC and referred to as INC or INC Ransomware. The group was first observed in 2023; the provided content cites activity since at least July 2023 and also states it was first observed in August 2023. It uses double extortion, stealing data before encrypting victim systems, and has been described as using spear-phishing for initial access. The content identifies it as one of the more active ransomware groups in 2025-2026, including 131 attack claims in Q1 2026, increased victim volume from 23 to 39 per month between Q1 and Q3 2025, and reporting that it had claimed 754 victims since emergence. The group has targeted multiple sectors, with specific reporting highlighting healthcare, education, manufacturing, and pharmacy-related victims. Trellix reported 34 attacks on healthcare organizations in 2025, including a regional hospital in North America, a national public health system, and a major hospital in the Southern Hemisphere. Quorum Cyber identified INC as accounting for 10% of observed ransomware activity affecting higher education in its reporting period. The content also references victim claims against OrthoNY and Rx Management, and states Rx Management was listed on the group’s leak site with a claim of more than 180 GB of stolen data. Politically themed targeting is also mentioned: INC Ransom listed Israeli-linked entities on its leak site, including ramet-trom.co.il, with claims of approximately 1 TB of exfiltrated data. One source characterizes INC Ransom and Tarnished Scorpius leak-site activity against Israeli entities as political attacks focused on data destruction and reputational damage rather than financial profit. Observed tradecraft in the provided content includes use of cmd.exe to launch malicious payloads; WMIC to deploy ransomware; RDP for lateral movement; and NETSCAN.EXE for internal reconnaissance. The group has acquired and used tools including MegaSync, AnyDesk, esentutl, and PsExec, and renamed a PsExec executable to winupd to mimic a legitimate Windows update file. It has used SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender, and has uninstalled tools from compromised endpoints after use as part of cleanup or anti-forensics. The content also links INC to broader cybercriminal ecosystem relationships. Microsoft stated that Fox Tempest-enabled activity was linked to operations involving INC, among other ransomware families, indicating INC malware or operations benefited from fraudulent code-signing services used elsewhere in the ecosystem. Separate reporting notes affiliate migration in the ransomware landscape, including movement of former Black Basta affiliates to groups such as INC, and Chainalysis-linked reporting notes overlaps between INC and Lynx based on shared laundering behavior and other overlaps. No nation-state attribution for INC Ransom itself is established in the provided content.