G1032: INC Ransom
INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.[1][2][3][4]
Analyst context for executives and security teams
INC Ransom is an ATT&CK group entry for a ransomware and data extortion threat group associated with INC Ransomware, with reported targeting across industrial, healthcare, and education organizations in the US and Europe. For leaders, the practical issue is not a single malware signature; it is a ransomware playbook that can combine credential abuse, remote access, Active Directory discovery, lateral movement, data staging/exfiltration tooling, and eventual ransomware deployment.
Executive priority
Prioritize this as a business-continuity and incident-readiness scenario, especially where industrial operations, healthcare delivery, or education services depend on Windows identity, remote administration, and shared file infrastructure. Executives should ask whether the organization can prove control over exposed applications, RDP and remote access paths, privileged/domain accounts, data exfiltration routes, and recovery capability before encryption or extortion becomes the decision point.
Technical view
ATT&CK provides no official detection text for this group, so defenders should validate coverage from the related behaviors and software. The relationship set points to Windows-heavy activity such as PsExec, Net, Nltest, AdFind, esentutl, WMI, Windows command shell, RDP, domain and share discovery, valid accounts, file deletion, remote access tools, Rclone, Tor, data staging, ingress tool transfer, and INC Ransomware. SOC and IR teams should test whether they can reconstruct the chain across identity, endpoint, network, web-facing application, and data movement evidence rather than relying on one malware alert.
Likely telemetry
- Authentication and identity logs for valid-account use, privileged logons, remote access, and RDP activity
- Endpoint process creation and command-line telemetry for cmd.exe, WMI, PsExec, Net, Nltest, AdFind, esentutl, Rclone, and remote access tools
- Active Directory and domain controller logs showing account, group, trust, and domain enumeration
- Windows service creation, administrative share, SMB, and lateral movement evidence
- Web server, application, VPN, and edge-device logs for public-facing application exploitation or exposed access paths
Detection direction
- Build detections around behavior clusters: remote access or valid-account use followed by domain discovery, share discovery, lateral execution, staging, and large outbound transfer.
- Treat PsExec, Net, Nltest, AdFind, WMI, RDP, esentutl, Rclone, and remote access tools as dual-use: tune with administrator baselines, approved hosts, change windows, and ticket context to reduce false positives.
- Correlate identity events with endpoint command lines; many high-value signals come from legitimate accounts using legitimate tools in unusual sequences.
- Validate monitoring of public-facing applications and remote access services, since relationships include Exploit Public-Facing Application, Valid Accounts, and RDP.
- Look for data-theft precursors before encryption: staged archives or directories, Rclone execution or configuration artifacts, unusual cloud-storage synchronization, Tor use, and abnormal egress volumes.
Mitigation priorities
- First reduce initial access exposure: inventory Internet-facing applications and remote access services, remediate known weaknesses and misconfigurations, and restrict unnecessary exposure.
- Strengthen identity controls for valid-account abuse: enforce MFA where applicable, remove stale accounts, limit privileged access, monitor domain admin activity, and constrain RDP use.
- Harden lateral movement paths by limiting administrative shares and remote execution methods to approved administrators and managed systems.
- Control dual-use tooling by defining approved use of PsExec, Rclone, remote access tools, and administrative discovery utilities, then alerting on exceptions.
- Improve egress governance for cloud storage, Tor-related traffic, and unusual application-layer outbound connections.
Analyst notes and limits
The strongest decision value in this object comes from the relationships rather than the group-level fields. The ATT&CK entry ties INC Ransom to INC Ransomware and to behaviors spanning initial access, discovery, lateral movement, command and control, collection, exfiltration preparation, and stealth. The sector references make operational resilience particularly relevant for industrial, healthcare, and education environments, but local exposure must be determined from the organization’s own assets and telemetry.
ATT&CK does not provide official detection guidance, tactics, or platforms on the group object itself. Platform observations here are inferred only from the related ATT&CK software and technique relationships. This summary does not establish current targeting of any specific organization, confirmed exploitation in a local environment, or guaranteed detection coverage.
INC Ransom
INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1486 | Data Encrypted for Impact | INC Ransom has used INC Ransomware to encrypt victim's data.CitationSentinelOne INC RansomwareCitationHuntress INC Ransom Group August 2023CitationBleeping Computer INC Ransomware March 2024CitationSecureworks GOLD IONIC April 2024CitationCybereason INC Ransomware November 2023CitationSOCRadar INC Ransom January 2024 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | INC Ransom has used RDP to move laterally.CitationCybereason INC Ransomware November 2023CitationHuntress INC Ransom Group August 2023CitationSOCRadar INC Ransom January 2024CitationHuntress INC Ransomware May 2024 |
| Enterprise | T1657 | Financial Theft | INC Ransom has stolen and encrypted victim's data in order to extort payment for keeping it private or decrypting it.CitationCybereason INC Ransomware November 2023CitationBleeping Computer INC Ransomware March 2024CitationSecureworks GOLD IONIC April 2024CitationSOCRadar INC Ransom January 2024CitationSentinelOne INC Ransomware |
| Enterprise | T1047 | Windows Management Instrumentation | INC Ransom has used WMIC to deploy ransomware.CitationCybereason INC Ransomware November 2023CitationHuntress INC Ransom Group August 2023CitationSOCRadar INC Ransom January 2024 |
| Enterprise | T1566 | Phishing | INC Ransom has used phishing to gain initial access.CitationSOCRadar INC Ransom January 2024CitationSentinelOne INC Ransomware |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | INC Ransom has used `cmd.exe` to launch malicious payloads.CitationHuntress INC Ransom Group August 2023 |
| Enterprise | T1537 | Transfer Data to Cloud Account | INC Ransom has used Megasync to exfiltrate data to the cloud.CitationSecureworks GOLD IONIC April 2024 |
| Enterprise | T1087.002 | Domain Account Sub-technique | INC Ransom has scanned for domain admin accounts in compromised environments.CitationSOCRadar INC Ransom January 2024 |
| Enterprise | T1074 | Data Staged | INC Ransom has staged data on compromised hosts prior to exfiltration.CitationHuntress INC Ransom Group August 2023CitationSOCRadar INC Ransom January 2024 |
| Enterprise | T1071 | Application Layer Protocol | INC Ransom has used valid accounts over RDP to connect to targeted systems.CitationHuntress INC Ransom Group August 2023 |
| Enterprise | T1046 | Network Service Discovery | INC Ransom has used NETSCAN.EXE for internal reconnaissance.CitationSOCRadar INC Ransom January 2024CitationSentinelOne INC Ransomware |
| Enterprise | T1569.002 | Service Execution Sub-technique | INC Ransom has run a file encryption executable via `Service Control Manager/7045;winupd,%SystemRoot%\winupd.exe,user mode service,demand start,LocalSystem`.CitationHuntress INC Ransom Group August 2023 |
| Enterprise | T1219 | Remote Access Tools | INC Ransom has used AnyDesk and PuTTY on compromised systems.CitationHuntress INC Ransom Group August 2023CitationSOCRadar INC Ransom January 2024CitationHuntress INC Ransomware May 2024CitationSentinelOne INC Ransomware |
| Enterprise | T1685 | Disable or Modify Tools | INC Ransom can use SystemSettingsAdminFlows.exe, a native Windows utility, to disable Windows Defender.CitationHuntress INC Ransomware May 2024 |
| Enterprise | T1588.002 | Tool Sub-technique | INC Ransom has acquired and used several tools including MegaSync, AnyDesk, esentutl and PsExec.CitationCybereason INC Ransomware November 2023CitationHuntress INC Ransom Group August 2023CitationSOCRadar INC Ransom January 2024CitationHuntress INC Ransomware May 2024CitationSentinelOne INC Ransomware |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | INC Ransom has named a PsExec executable winupd to mimic a legitimate Windows update file.CitationHuntress INC Ransom Group August 2023CitationSOCRadar INC Ransom January 2024 |
| Enterprise | T1570 | Lateral Tool Transfer | INC Ransom has used a rapid succession of copy commands to install a file encryption executable across multiple endpoints within compromised infrastructure.CitationHuntress INC Ransom Group August 2023CitationSecureworks GOLD IONIC April 2024 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | INC Ransom has enumerated domain groups on targeted hosts.CitationHuntress INC Ransom Group August 2023 |
| Enterprise | T1135 | Network Share Discovery | INC Ransom has used Internet Explorer to view folders on other systems.CitationHuntress INC Ransom Group August 2023 |
| Enterprise | T1190 | Exploit Public-Facing Application | INC Ransom has exploited known vulnerabilities including CVE-2023-3519 in Citrix NetScaler for initial access.CitationSOCRadar INC Ransom January 2024CitationSentinelOne INC Ransomware |
| Enterprise | T1070.004 | File Deletion Sub-technique | INC Ransom has uninstalled tools from compromised endpoints after use.CitationHuntress INC Ransomware May 2024 |
| Enterprise | T1078 | Valid Accounts | INC Ransom has used compromised valid accounts for access to victim environments.CitationCybereason INC Ransomware November 2023CitationHuntress INC Ransom Group August 2023CitationSOCRadar INC Ransom January 2024CitationHuntress INC Ransomware May 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | INC Ransom has downloaded tools to compromised servers including Advanced IP Scanner. CitationHuntress INC Ransom Group August 2023CitationHuntress INC Ransomware May 2024 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | INC Ransom has used 7-Zip and WinRAR to archive collected data prior to exfiltration.CitationHuntress INC Ransom Group August 2023CitationSecureworks GOLD IONIC April 2024CitationSOCRadar INC Ransom January 2024CitationHuntress INC Ransomware May 2024 |
| Enterprise | T1049 | System Network Connections Discovery | INC Ransom has used RDP to test network connections.CitationSOCRadar INC Ransom January 2024 |
Groups, software, and campaigns
S0183: Tor
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]
S0029: PsExec
S0359: Nltest
S1040: Rclone
S0552: AdFind
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0404: esentutl
S1139: INC Ransomware
INC Ransomware is a ransomware strain that has been used by the INC Ransom group since at least 2023 against multiple industry sectors worldwide. INC Ransomware can employ partial encryption combined with multi-threading to speed encryption.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e00644371f45… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bleeping Computer INC Ransomware March 2024
Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024.
Open source URL -
[2]
Cybereason INC Ransomware November 2023
Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
Open source URL -
[3]
Secureworks GOLD IONIC April 2024
Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
Open source URL -
[4]
SentinelOne INC Ransomware
SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
Open source URL -
[5]
GOLD IONIC
(Citation: Secureworks GOLD IONIC April 2024)
-
[6]
mitre-attack G1032Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.