Threat Actor Profile
Critical
Cybercriminal
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': None,
'firstseen': '2023-08-06T16:58:36.719909+00:00',
'group': 'incransom',
'has_negotiations': False,
'has_ransomnote': False,
'lastseen': '2026-04-29T00:00:00+00:00',
'locations': [{'available': False,
'fqdn': 'incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion',
'slug': 'http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/blog/leaks',
'title': 'INC Ransom',
'type': 'DLS'},
{'available': False,
'fqdn': 'incbackrlasjesgpfu5brktfjknbqoahe2hhmqfhasc5fb56mtukn4yd.onion',
'slug': 'http://incbackrlasjesgpfu5brktfjknbqoahe2hhmqfhasc5fb56mtukn4yd.onion/api/blog/get-leaks',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'incapt.su',
'slug': 'http://incapt.su/blog/leaks',
'title': 'Error Response Page',
'type': 'DLS'},
{'available': False,
'fqdn': 'incbackend.top',
'slug': 'http://incbackend.top/api/blog/get-leaks',
'title': 'Error Response Page',
'type': 'DLS'},
{'available': False,
'fqdn': 'incapt.blog',
'slug': 'http://incapt.blog/blog/leaks',
'title': 'INC Ransom',
'type': 'DLS'},
{'available': True,
'fqdn': 'incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion',
'slug': 'http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures',
'title': 'Disclosures',
'type': 'DLS'},
{'available': True,
'fqdn': 'incbacg6bfwtrlzwdbqc55gsfl763s3twdtwhp27dzuik6s6rwdcityd.onion',
'slug': 'http://incbacg6bfwtrlzwdbqc55gsfl763s3twdtwhp27dzuik6s6rwdcityd.onion/api/v1/blog/get/announcements?page=1&perPage=15',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': False,
'locations': [{'available': False,
'fqdn': 'incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion',
'slug': 'http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/blog/leaks',
'title': 'INC Ransom',
'type': 'DLS'},
{'available': False,
'fqdn': 'incbackrlasjesgpfu5brktfjknbqoahe2hhmqfhasc5fb56mtukn4yd.onion',
'slug': 'http://incbackrlasjesgpfu5brktfjknbqoahe2hhmqfhasc5fb56mtukn4yd.onion/api/blog/get-leaks',
'title': '',
'type': 'DLS'},
{'available': False,
'fqdn': 'incapt.su',
'slug': 'http://incapt.su/blog/leaks',
'title': 'Error Response Page',
'type': 'DLS'},
{'available': False,
'fqdn': 'incbackend.top',
'slug': 'http://incbackend.top/api/blog/get-leaks',
'title': 'Error Response Page',
'type': 'DLS'},
{'available': False,
'fqdn': 'incapt.blog',
'slug': 'http://incapt.blog/blog/leaks',
'title': 'INC Ransom',
'type': 'DLS'},
{'available': True,
'fqdn': 'incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion',
'slug': 'http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures',
'title': 'Disclosures',
'type': 'DLS'},
{'available': True,
'fqdn': 'incbacg6bfwtrlzwdbqc55gsfl763s3twdtwhp27dzuik6s6rwdcityd.onion',
'slug': 'http://incbacg6bfwtrlzwdbqc55gsfl763s3twdtwhp27dzuik6s6rwdcityd.onion/api/v1/blog/get/announcements?page=1&perPage=15',
'title': '',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'ransomware_live_group': 'incransom',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': [],
'DiscoveryEnum': ['AdFind',
'Advanced IP Scanner',
'SoftPerfect NetScan'],
'Exfiltration': ['BackBlaze',
'MEGA',
'Restic',
'RClone',
's5cmd',
'7-Zip',
'WinRAR'],
'LOLBAS': ['Finger', 'PsExec'],
'Networking': ['Bitvise SSH Client'],
'Offsec': [],
'RMM-Tools': ['AnyDesk']},
'url': 'https://www.ransomware.live/group/incransom',
'victims': 779,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': ['Mimikatz'],
'DefenseEvasion': [],
'DiscoveryEnum': ['AdFind',
'Advanced IP Scanner',
'SoftPerfect NetScan'],
'Exfiltration': ['BackBlaze',
'MEGA',
'Restic',
'RClone',
's5cmd',
'7-Zip',
'WinRAR'],
'LOLBAS': ['Finger', 'PsExec'],
'Networking': ['Bitvise SSH Client'],
'Offsec': [],
'RMM-Tools': ['AnyDesk']},
'ttps': [],
'url': 'https://www.ransomware.live/group/incransom',
'victims': 779,
'vulnerabilities': []}