Exploits CVEs in the wild

IncRansom

Also known asincransom

IncRansom is a ransomware group active in 2025 and 2026 and tracked in public reporting and leak-site monitoring as INCRansom, IncRansom, and incransom. The group is described as one of the more active ransomware operators by victim count in 2025 and was also listed among active groups at the time of analysis, although one source noted a decline in activity from 85 to 40 victims, suggesting reduced operational tempo or a shift in campaign strategy. Reporting cited in the content states that IncRansom was among the gangs targeting healthcare organizations in 2025, and that a healthcare provider specializing in elderly care was listed as a victim on the group’s leak site. The group is also referenced as actively attacking targets in broader campaigns and appears in ransomware trend reporting covering the United States, South Korea, and global victim tracking. The content also states that DevMan2 is a former affiliate group of IncRansom and RansomHub. No high-confidence attribution to a nation state is provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Health Care Equipment & Services
Academia & Research

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-5777CitrixBleed 2In the wildEvidence1

CVE-2025-5777 - CitrixBleed 2 - попала в каталог CISA KEV 10 июля 2025 года... CVSS 9.3 (CRITICAL)... подтверждённая связь с ransomware-кампаниями... На GitHub к этому моменту уже лежали рабочие PoC... в nuclei-templates ProjectDiscovery - готовый YAML для массового сканирования.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

codebyNews

Jun 15, 2026

Приоритизация патчей CISA KEV: OSINT-воркфлоу Blue Team

Named as an active ransomware group operating during the period discussed, contributing to frequent victimization across sectors including education and healthcare.

cyfirma otherNews

May 15, 2026

TRACKING RANSOMWARE : APRIL 2026 - CYFIRMA

A ransomware operator with reduced activity in April 2026 compared with March.

emsisoftNews

Jan 7, 2026

The State of Ransomware in the U.S.: Report and Statistics 2025

Incransom is a ransomware group that emerged as a top actor in 2025.

ahnlab asec blogNews

Dec 16, 2025

November 2025 Threat Trend Report on Ransomware

INCRansom is mentioned as an active ransomware group in November 2025.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.