Threat Actor Profile
High APT
Description

INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.(Citation: Bleeping Computer INC Ransomware March 2024)(Citation: Cybereason INC Ransomware November 2023)(Citation: Secureworks GOLD IONIC April 2024)(Citation: SentinelOne INC Ransomware)

Confidence Score
90%
Known Aliases
INC Ransom GOLD IONIC
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (25)
T1074 - Data Staged
Collection
T1560.001 - Archive via Utility
Collection
T1071 - Application Layer Protocol
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1219 - Remote Access Tools
Command and Control
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1046 - Network Service Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1069.002 - Domain Groups
Discovery
T1087.002 - Domain Account
Discovery
T1135 - Network Share Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1059.003 - Windows Command Shell
Execution
T1569.002 - Service Execution
Execution
T1537 - Transfer Data to Cloud Account
Exfiltration
T1486 - Data Encrypted for Impact
Impact
T1657 - Financial Theft
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1566 - Phishing
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1570 - Lateral Tool Transfer
Lateral Movement
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['INC Ransom', 'GOLD IONIC'],
 'created': '2024-06-06T17:16:38.704Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[INC Ransom](https://attack.mitre.org/groups/G1032) is a '
                'ransomware and data extortion threat group associated with '
                'the deployment of [INC '
                'Ransomware](https://attack.mitre.org/software/S1139) that has '
                'been active since at least July 2023. [INC '
                'Ransom](https://attack.mitre.org/groups/G1032)  has targeted '
                'organizations worldwide most commonly in the industrial, '
                'healthcare, and education sectors in the US and '
                'Europe.(Citation: Bleeping Computer INC Ransomware March '
                '2024)(Citation: Cybereason INC Ransomware November '
                '2023)(Citation: Secureworks GOLD IONIC April 2024)(Citation: '
                'SentinelOne INC Ransomware)',
 'external_references': [{'external_id': 'G1032',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1032'},
                         {'description': '(Citation: Secureworks GOLD IONIC '
                                         'April 2024)',
                          'source_name': 'GOLD IONIC'},
                         {'description': 'Counter Threat Unit Research Team. '
                                         '(2024, April 15). GOLD IONIC DEPLOYS '
                                         'INC RANSOMWARE. Retrieved June 5, '
                                         '2024.',
                          'source_name': 'Secureworks GOLD IONIC April 2024',
                          'url': 'https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware'},
                         {'description': 'Cybereason Security Research Team. '
                                         '(2023, November 20). Threat Alert: '
                                         'INC Ransomware. Retrieved June 5, '
                                         '2024.',
                          'source_name': 'Cybereason INC Ransomware November '
                                         '2023',
                          'url': 'https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf'},
                         {'description': 'SentinelOne. (n.d.). What Is Inc. '
                                         'Ransomware?. Retrieved June 5, 2024.',
                          'source_name': 'SentinelOne INC Ransomware',
                          'url': 'https://www.sentinelone.com/anthology/inc-ransom/'},
                         {'description': 'Toulas, B. (2024, March 27). INC '
                                         'Ransom threatens to leak 3TB of NHS '
                                         'Scotland stolen data. Retrieved June '
                                         '5, 2024.',
                          'source_name': 'Bleeping Computer INC Ransomware '
                                         'March 2024',
                          'url': 'https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/'}],
 'id': 'intrusion-set--cb41e991-65f4-4668-a65f-f4200545b5a1',
 'modified': '2024-10-28T19:03:08.838Z',
 'name': 'INC Ransom',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Matt Anderson, @\u200cnosecurething, Huntress'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (25)
Data Staged
Collection
Archive via Utility
Collection
Application Layer Protocol
Command and Control
Ingress Tool Transfer
Command and Control
Remote Access Tools
Command and Control
View All 25 TTPs
Back to Threat Actors
Dashboard Home