INC Ransom Ransomware

First Identified: 2023

Threat Type:
Ransomware-as-a-Service (RaaS)

Extortion method:
Double Extortion – where the operators encrypt victim data and exfiltrate sensitive data and threat to leak that data if the ransom is not paid.

Most frequently targeted industry:

• Healthcare

Most frequently targeted victim HQ region: North America

Known Associations:

• GOLD IONIC
• Lynx Ransomware
• Tarnished Scorpius
• Water Anito

Select MITRE ATT&CK Mappings

• • Initial Access
    • Valid accounts, vulnerability exploitation, supply chain compromise, social engineering (MITRE ATT&CK: T1078, T1190, T1195, T1566)
  • Persistence
    • Scheduled task, valid accounts, create account, create or modify system process (MITRE ATT&CK: T1053, T1078, T1136, T1543)
  • Lateral Movement
    • Exploitation of remote services, use alternate authentication material, lateral tool transfer (MITRE ATT&CK: T1021, T1550, T1570)

INC Ransom ransomware was first observed in July 2023 and operates in the double extortion method, where victim data is stolen and leaked via a data leak site if the ransom demand is not paid. The operators maintain a data leak site and a separate site for victims to negotiate the ransom payments.

INC Ransom operators have been observed gaining initial access via social engineering attacks and using valid credentials to target external remote services, such as RDP.

The initial behavior of the ransomware depends on the command line argument the operators enter. INC Ransom has been assessed to conduct a significant amount of reconnaissance on a victim organization, which likely allows the affiliate to choose the type of encryption they want to use.

Similar to other ransomware variants, INC Ransom deletes shadow copies and avoids certain files and directories when encrypting, which include .msi, .exe, .dll, .inc, Windows, Program Files, $RECYCLE.BIN, and appdata. INC Ransom uses multi-threading to speed up the encryption process, the number of threads will be the number of processors multiplied by 4. In order to speed up the encryption process, INC Ransom utilizes partial encryption.

• If the file is smaller than 1MB then the entire file will be encrypted.
• If the file is larger than 1MB but smaller than 3MB then 1MB will be encrypted and the rest will not be encrypted.
• If the file is larger than 3MB then encryption intervals of encrypting 1MB and not encrypting 2MB.

After setting the parameters, the ransomware decrypts its ransom notes. In each encrypted directory, the ransomware will drop two ransom notes, one as a .txt file and the other in .html format. Additionally, INC ransom actively seeks out available printers in the network and sends the command to print the ransom note. INC Ransom also has the ability to change the host background wallpaper image. INC Ransom changes the desktop wallpaper to display the ransom note.

Security researchers have reported that INC Ransom and Lynx Ransomware variants have a significant overlap in code. Various security researchers have reported that the Windows variants have a 40% code similarity and a 70.8% similarity in specific functions, while the Linux variants have a 91% code similarity and a 87% overall overlap.

In 2024, INC Ransom operators listed their source code for sale on a dark web forums for $300,000. There is an even chance that Lynx operators purchased the source code and created their own variant.

INC Ransom has significantly increased their activity in 2025. INC Ransom listed 162 victims in 2024; and listed more than 300 so far in 2025. The increase in activity and their ability to remain a credible threat in the ransomware landscape has been attributed to their ability to adapt.