inc-ransom

INC Ransom

also known as: GOLD IONIC Inc. Ransomware Vanilla Tempest (adopter) Storm-0494 (IAB partner)

One of the most prolific healthcare-targeting ransomware groups through 2024 and 2025 — leading confirmed attacks on healthcare providers across both years according to Comparitech tracking. INC Ransom's UK NHS campaigns were particularly impactful: the March 2024 attack on NHS Scotland (Dumfries and Galloway) exposed 3TB of patient data including genetics reports, x-rays, letters between consultants, and medication records, with 150,000 households subsequently notified that their data had likely been stolen. The group emerged in July 2023 and rapidly built a global victim count across healthcare, education, government, and professional services, while its source code sale in March 2024 spawned the Lynx ransomware derivative.

attributed origin Unknown — likely Russia or CIS (assessed)

suspected sponsor None — financially motivated

first observed July 2023

primary motivation Financial — double extortion ransomware

primary targets Healthcare (29%), Education, Government, Professional Services

2024 healthcare claims #1 by confirmed attacks

2025 healthcare claims 39 attacks — #1 by volume

target regions US (primary), UK, Australia, Oceania, Global

threat level High

Overview

INC Ransom emerged in July 2023 as a double extortion ransomware operation — tracked by Secureworks as GOLD IONIC — with no confirmed links to previously known ransomware groups. The group operates with a business-like framing, positioning attacks as exposing security weaknesses in victim organizations, though this justification masks straightforward financially motivated extortion. Secureworks analysis suggests the group operates as a closed operation rather than a full RaaS with open affiliate recruitment, though affiliate relationships have been documented — notably with the Vanilla Tempest intrusion group (tracked by Microsoft as formerly DEV-0832) and Storm-0494 as an initial access broker.

What makes INC Ransom notable is not technical novelty — security researchers and law enforcement have characterized the group's tactics as "legacy" techniques relying on valid credentials and known vulnerabilities — but rather the scale and consistency of its healthcare targeting. Comparitech's ransomware tracker placed INC Ransom first for confirmed healthcare attacks in both 2024 and 2025, with 39 healthcare claims in the first nine months of 2025 alone. Healthcare organizations' critical patient care dependencies create payment pressure that the group has systematically exploited across the US, UK, and increasingly Oceania.

A significant development in INC Ransom's ecosystem occurred in March 2024, when an actor sold what appeared to be the INC Ransom source code for approximately $300,000 on underground forums. By July 2024, Lynx ransomware had emerged with approximately 70% shared function similarity and nearly 50% overall code overlap with INC — indicating the source code sale generated a functional successor operation. INC Ransom itself continued operating in parallel, meaning the source code sale effectively multiplied the threat without ending the original group's operations. As of early 2026, INC Ransom appears in Bitdefender's sustained top-ten most active US ransomware groups.

current threat — 2025 / 2026

INC Ransom leads all ransomware groups in confirmed healthcare attacks through 2025. In early 2026, ACSC, CERT Tonga, and New Zealand's NCSC issued a joint advisory specifically warning about INC ransomware targeting healthcare organizations in Oceania — including attacks that disrupted Tonga's Ministry of Health and multiple Australian and New Zealand healthcare facilities. The group remains active with ongoing claims through Q1 2026 and consistent appearance in top-ten ransomware leaderboards across major intelligence providers.

Target Profile

INC Ransom targets organizations across multiple sectors but has demonstrated a pronounced and sustained preference for healthcare — a sector the group has hit at nearly three times the average rate compared to other ransomware groups of equivalent size.

Healthcare (priority sector): Hospitals, NHS trusts, healthcare systems, clinics, and medical facilities across the US, UK, Australia, New Zealand, and the Pacific have been targeted. Healthcare's 24/7 patient care dependencies create acute payment pressure — disruption to clinical services is not just a business problem but a direct patient safety issue. The group has targeted primary care, cancer centers, and regional health boards with no apparent ethical restraint.
Education: Universities, school districts, and educational institutions featured prominently in INC Ransom's early victim list, representing a higher-than-average proportion compared to other ransomware groups operating in the same period. Educational institutions hold sensitive student data and often lack enterprise-grade security resources.
Government and public sector: Local councils, government agencies, and national government bodies have been targeted. Leicester City Council suffered a confirmed INC Ransom attack in 2024 with 1.3TB of data published, including rent statements, housing applications, and passport information. Tonga's Ministry of Health was targeted in 2025, disrupting national health services.
Professional services: Legal firms, accounting organizations, and professional services companies are targeted for the sensitive client data they hold. The group demonstrated understanding of professional liability in these sectors — leaked client confidential data creates regulatory and legal exposure beyond the direct ransom pressure.
Industrial and manufacturing: Secureworks documented industrial organizations in INC's early victim profile, reflecting a broad cross-sector targeting strategy not limited to the most publicly reported healthcare focus.
Geographic expansion: Initially concentrated in the US and UK, INC Ransom expanded into Australia from mid-2024 and further into New Zealand and Tonga in 2025. The ACSC documented 11 INC attacks in Australia between July 2024 and December 2025.

Tactics, Techniques & Procedures

INC Ransom's TTPs are characterized by effectiveness over novelty. The group relies on valid credential purchase and known vulnerability exploitation for initial access, with standard post-exploitation tooling for lateral movement and data exfiltration before encryption.

mitre id	technique	description
T1078	Valid Accounts — IAB Credentials	The primary initial access method documented in Australian and Oceanian incidents. INC Ransom purchases compromised account credentials from initial access brokers (IABs) rather than conducting credential attacks independently. This approach reduces their operational footprint and leverages existing compromised credential markets. The Australian ACSC confirmed IAB credential purchase as the typical initial access method in Australian incidents.
T1190	Exploit Public-Facing Application	INC Ransom has exploited CVE-2023-3519 (Citrix NetScaler/ADC unauthenticated RCE — "Citrix Bleed" adjacent) and CVE-2023-4966 (Citrix Bleed — session token leak enabling authentication bypass). In one Secureworks incident response engagement, Citrix Bleed exploitation may have provided initial access. The group also conducts spear-phishing against some victims as an alternative initial access path.
T1566.001	Spear-Phishing Attachment	Used as an alternative initial access vector alongside IAB credential purchase and vulnerability exploitation. Vanilla Tempest (the Microsoft-tracked affiliate group that adopted INC as its primary payload in August 2024) was specifically observed using phishing for initial access before deploying INC ransomware against healthcare targets.
T1087	Account Discovery — AdFind	Post-initial-access, operators use AdFind — an Active Directory enumeration tool — to map the target environment, enumerate users, groups, and organizational units, and identify high-value targets for lateral movement. This is a consistent documented behavior across multiple Secureworks incident response engagements featuring GOLD IONIC.
T1048	Exfiltration — MEGAsync / WinRAR	Data is archived using WinRAR before exfiltration. MEGAsync (the MEGA cloud storage desktop client) is then used to transfer archived data to attacker-controlled cloud storage. In one documented Secureworks case, operators exfiltrated over 70GB of data via this method before deploying ransomware. MEGA's legitimate status reduces the likelihood of network monitoring blocking the transfer.
T1570	Lateral Tool Transfer — PsExec Mass Deployment	After exfiltrating data, INC Ransom copies the ransomware binary to target systems across the network and executes it remotely via PsExec. In one documented incident, the ransomware binary was copied to over 500 systems before simultaneous execution. The ransomware binary filename is unique per victim and contains the organization's name.
T1486	File Encryption — AES / RSA	INC ransomware encrypts files using AES with RSA key protection. The malware supports command-line arguments allowing operators to specify target drives, network shares, or the entire local device. Ransom notes (INC-README.TXT and INC-README.HTML) are dropped in each encrypted folder. Notably, the ransomware also attempts to output the HTML ransom note to connected printers and fax machines — a pressure tactic to ensure visibility.
T1490	Inhibit System Recovery	INC ransomware attempts to delete Volume Shadow Copies (VSS) to prevent backup-based recovery. This behavior was documented in SentinelOne analysis of the payload. Additionally, INC has exploited CVE-2023-27532 in Veeam Backup and Replication in some campaigns, targeting backup infrastructure to access credentials and hinder recovery capabilities.
T1021.001	Remote Desktop Protocol	RDP is used for lateral movement within compromised networks following initial access via stolen credentials or vulnerability exploitation. The group escalates to administrator-level privileges before deploying the ransomware, using RDP alongside other standard Windows administrative tools for internal movement.
T1560	Archive Collected Data / Double Extortion	Exfiltrated data is published on a Tor-hosted leak site (the INC Ransom .onion blog) when victims decline to pay. Each victim's ransom note includes a personal ID and instructs contact within 72 hours. INC's leak site has published genetics reports, x-rays, clinical correspondence, housing applications, government documents, and personal identification data across its confirmed victim disclosures.

Known Campaigns

Selected high-impact confirmed operations across INC Ransom's operational history.

Initial Operations — US and UK Healthcare and Education 2023

From its emergence in July/August 2023, INC Ransom rapidly built a victim list. Secureworks documented 72 victims named on the leak site from August 2023 through March 2024. Early victims were concentrated in the US, with the UK trailing significantly. Industrial, healthcare, and education organizations featured prominently. Initial access methods during this period included exploitation of Citrix vulnerabilities and spear-phishing, with the group already demonstrating the AdFind, WinRAR, MEGAsync, and PsExec toolkit that would become its operational signature.

NHS Scotland (Dumfries and Galloway) — 3TB Patient Data Breach 2024

The most consequential INC Ransom attack on record. In February 2024, the NCA and NHS Scotland's Cyber Centre of Excellence alerted NHS Dumfries and Galloway to suspicious server activity. The health board immediately shut down external IT access and engaged incident responders. On March 15, 2024, the attack was publicly disclosed. On March 27, INC Ransom claimed responsibility and published a "proof pack" of sensitive clinical documents on its leak site — including genetics reports, medication records, x-rays, and letters between consultants and patients — threatening to release the full 3TB if ransom demands were not met. The full dataset was published on May 6, 2024. On June 17, NHS Dumfries and Galloway chief executive Julie White wrote to 150,000 households warning that their personal data had likely been stolen and published online. National Records of Scotland subsequently confirmed its data — demographic and census records including births, deaths, and marriages — was also in the leaked dataset due to cross-board data sharing infrastructure on the affected network.

Leicester City Council — 1.3TB Government Data Publication 2024

INC Ransom attacked Leicester City Council and published a proof pack of highly sensitive data on April 3, 2024, including rent statements, applications to purchase council housing, and personal identification documents such as passport information. By April 9, a further 1.3TB of council data had been published. The incident demonstrated INC Ransom's consistent willingness to execute on data publication threats — not merely threaten — establishing credibility that increases payment pressure on subsequent victims.

Vanilla Tempest Healthcare Campaign 2024

Microsoft documented the Vanilla Tempest intrusion group (formerly DEV-0832, previously deploying BlackCat, Quantum Locker, Zeppelin, and Rhysida) adopting INC Ransom as its primary payload in August 2024. Vanilla Tempest specifically targeted US healthcare organizations. The group gained initial access via phishing campaigns delivering the Gootloader malware — a JavaScript-based malware-as-a-service loader — before using Storm-0494 as an initial access broker in some cases. Post-compromise tools included AnyDesk, BITS Admin, and MegaSync for exfiltration before INC ransomware deployment. This affiliate relationship confirmed INC Ransom had extended beyond its original operators.

McLaren Health Care — Michigan, US 2024

INC Ransom claimed responsibility for an August 2024 attack on McLaren Health Care in Michigan and its Karmanos cancer centers, with unauthorized access occurring between July 17 and August 3, 2024. The full scope of the breach, affecting 743,131 individuals, was not confirmed until May 2025 during an extensive file review. Compromised data included names, Social Security numbers, driver's license numbers, medical information, and health insurance information. McLaren's listing on the INC Ransom leak site was subsequently removed — suggesting the ransom was paid. This was McLaren Health Care's second ransomware attack within a year.

Oceania Healthcare Expansion — Australia, New Zealand, Tonga 2024–2025

From mid-2024, INC Ransom began systematically targeting healthcare and professional services organizations in Australia, then expanded into New Zealand and Tonga in 2025. The Australian Cyber Security Centre responded to 11 INC ransomware incidents between July 2024 and December 2025, predominantly in healthcare and professional services. In Tonga, the group targeted the Ministry of Health directly, disrupting national health services. A May 2025 New Zealand healthcare organization attack resulted in large-scale data theft and server encryption, with stolen data published on INC Ransom's dark web site. The joint advisory issued by ACSC, CERT Tonga, and New Zealand's NCSC in March 2026 marked the group's first formal multi-nation advisory response in this region.

Tools & Malware

INC Ransom's toolkit blends a custom ransomware payload with standard living-off-the-land and commodity tools for post-exploitation — a lightweight operational model that achieves high victim counts without requiring proprietary C2 infrastructure or custom exploit development.

INC ransomware payload: A Windows ransomware binary written with AES file encryption and RSA key protection. Cross-platform variants exist. Supports command-line arguments for targeted or full-device encryption. The binary filename is customized per victim to include the organization's name. Drops INC-README.TXT and INC-README.HTML in each encrypted folder, and attempts to print the HTML ransom note to connected printers and fax machines. Attempts VSS deletion to prevent shadow copy recovery.
AdFind: A legitimate Active Directory command-line query tool used for post-compromise network enumeration — mapping users, groups, organizational units, and trust relationships to plan lateral movement and identify high-value targets.
WinRAR: Used to archive files and folders before exfiltration. Data compression via WinRAR precedes MEGAsync upload in the documented exfiltration workflow.
MEGAsync: The desktop client for MEGA cloud storage, used to exfiltrate archived data to attacker-controlled cloud accounts. MEGA's legitimate reputation and HTTPS transfer protocol reduce the effectiveness of network-layer detection and blocking.
Meterpreter / NETSCAN.EXE: Meterpreter shells provide post-compromise C2 and lateral movement capability. NETSCAN.EXE — a multi-protocol network scanner — is used for internal network reconnaissance to identify additional targets and assess network topology.
ESENTUTL.EXE: A legitimate Microsoft Extensible Storage Engine utility used by INC Ransom operators for database management tasks — including potential extraction of credential databases — as part of the post-compromise reconnaissance phase.
PsExec: Used for mass remote ransomware deployment after exfiltration. Copies the INC ransomware binary across the network and executes it simultaneously on hundreds or thousands of domain-joined systems.
Lynx ransomware (derivative): A ransomware operation that emerged in July 2024 following the March 2024 sale of INC Ransom source code for approximately $300,000. Binary analysis confirmed approximately 70% function-level code similarity. Lynx operates as a separate group but shares INC's encryption approach and overall architecture, effectively representing a second threat originating from the same codebase.

Indicators of Compromise

Behavioral and structural indicators from documented INC Ransom incidents.

warning

INC Ransom is active and rotates infrastructure. Network IOCs become stale rapidly. Behavioral detection of the toolchain (AdFind, MEGAsync, WinRAR archive chains, PsExec mass execution) is more durable than domain or IP blocklists. The Oceania ACSC/CERT Tonga/NCSC advisory provides specific current IOCs relevant to the most recent campaign wave — consult directly for operational use.

indicators of compromise — behavioral and structural

ransom note INC-README.TXT and INC-README.HTML — dropped in each encrypted folder

ransom note HTML ransom note printed to connected printers and fax machines

file extension .inc — appended to encrypted files

behavior AdFind.exe execution — Active Directory enumeration post-compromise

behavior WinRAR archiving → MEGAsync upload — data staging and exfiltration chain

behavior PsExec mass execution of victim-named ransomware binary across 500+ systems

behavior vssadmin delete shadows — shadow copy deletion pre-encryption

tool NETSCAN.EXE (p443x64.exe) — multi-protocol network scanner for internal reconnaissance

vulnerability CVE-2023-3519 (Citrix NetScaler RCE), CVE-2023-4966 (Citrix Bleed session token)

Mitigation & Defense

INC Ransom's characterization by security researchers as using "legacy tactics" — valid credentials and known vulnerabilities — means the defensive controls that stop this group are foundational rather than exotic. The challenge for healthcare organizations is implementing these controls across complex, legacy-heavy infrastructure without disrupting patient care.

MFA everywhere — especially remote access: The ACSC Oceania advisory cited "walking right into environments with valid credentials" as the primary INC Ransom entry method. MFA on all VPN, RDP, Citrix, and remote access infrastructure is the single most effective control against IAB credential-based intrusion. Where legacy systems cannot support MFA, network-level controls (VPN gateway MFA, jump hosts) provide an interim layer.
Patch Citrix NetScaler and ADC immediately: CVE-2023-3519 and CVE-2023-4966 (Citrix Bleed) are documented INC Ransom entry points. Both vulnerabilities have patches available and have been actively exploited by multiple ransomware groups beyond INC. Citrix appliances should be in continuous patch cycles with priority treatment for actively exploited CVEs.
Monitor and restrict MEGAsync: MEGAsync should not be present on enterprise systems outside of specific authorized use cases. Block MEGAsync installation and execution via application control. Monitor for outbound connections to MEGA cloud endpoints (api.mega.co.nz, g.api.mega.co.nz, and MEGA's CDN infrastructure) from systems where no legitimate MEGA usage exists.
Alert on AdFind execution: AdFind.exe has no legitimate administrative use case in normal day-to-day operations for non-AD administrators. Alert on AdFind execution from any workstation or non-AD-admin server. This is a high-fidelity pre-ransomware indicator used consistently across INC Ransom and many other ransomware groups.
Monitor for WinRAR archive creation of sensitive directories: WinRAR used to archive bulk files before exfiltration produces detectable file I/O patterns. EDR solutions and DLP tools should alert on mass archiving of sensitive directory paths — particularly those containing patient records, financial data, or PII — by non-authorized processes.
IAB intelligence integration: INC Ransom frequently uses purchased IAB credentials for initial access. Organizations should subscribe to dark web credential monitoring services that alert when organizational credentials appear in IAB marketplaces. Rapid credential rotation upon detection can close the IAB-sourced entry window before it is exploited.
Limit PsExec and mass remote execution: Alert on PsExec execution originating from non-standard systems and monitor for mass process spawning across domain members. Application control policies should restrict PsExec to authorized administrative workstations. A single PsExec command deploying a binary to 500+ systems is detectable as an anomalous event in any network monitoring baseline.
Printer and fax isolation: INC Ransom's ransom note printing behavior — while primarily a pressure tactic — can be leveraged as a detection mechanism. Alert on anomalous print job submissions from non-user processes. As a secondary benefit, isolating printers from direct workstation network paths limits this pressure tactic's effectiveness.

analyst note

INC Ransom's position as the leading healthcare ransomware group in both 2024 and 2025 reflects a deliberate targeting strategy built on the sector's payment incentives — clinical disruption carries direct patient safety consequences that create payment pressure unavailable in other sectors. The group's source code sale in March 2024 is unusual: rather than a shutdown or rebrand, INC Ransom sold its code and continued operating, effectively proliferating a second active threat (Lynx) while maintaining its own operations. This commercialization pattern — monetizing the ransomware platform itself alongside victim extortion — may represent an emerging model. The absence of CIS exclusions in INC Ransom's confirmed victimology (unlike Russian-origin groups that typically avoid CIS targets) makes origin attribution difficult, though the no-CIS-victims pattern and Western-only target set are consistent with Russia or CIS origin regardless of formal exclusion logic in the code.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile