S1139: INC Ransomware
INC Ransomware is a ransomware strain that has been used by the INC Ransom group since at least 2023 against multiple industry sectors worldwide. INC Ransomware can employ partial encryption combined with multi-threading to speed encryption.[1][2][3]
Analyst context for executives and security teams
INC Ransomware is a Windows ransomware strain that MITRE reports has been used by the INC Ransom group since at least 2023 across multiple industry sectors worldwide. Its practical significance is speed and operational disruption: MITRE notes partial encryption combined with multi-threading, which can reduce the time defenders have to contain activity before business data becomes unavailable.
Executive priority
Treat this as a resilience and incident-readiness issue, not only a malware signature problem. Leadership should ask whether Windows endpoints, file shares, recovery mechanisms, and service availability are monitored well enough to catch ransomware staging behaviors before encryption impact. Priority should go to proving backup recoverability, visibility into administrative execution paths such as WMI, and SOC playbooks for service stopping, recovery inhibition, lateral file transfer, and rapid encryption behavior.
Technical view
MITRE does not provide a dedicated detection section for this malware, so defenders should validate coverage through the related ATT&CK behaviors. For Windows environments, focus on WMI execution, process/file/share/storage discovery, lateral tool transfer, service stop activity, attempts to inhibit recovery, internal defacement artifacts, and data encryption for impact. Detection should emphasize behavioral chains rather than single indicators: discovery of processes, files, shares, devices, drivers, or local storage followed by internal file movement, service interruption, recovery-control changes, and high-volume file modification or encryption-like writes.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- WMI activity and remote/local WMI execution logs
- Service control events showing stop or disable actions
- File and directory enumeration telemetry
- Network share and SMB access telemetry
Detection direction
- Validate that ransomware detections are behavior-based and not limited to known hashes or static malware names.
- Correlate discovery behaviors with later file transfer, service stop, recovery inhibition, and encryption-impact activity.
- Tune WMI execution analytics to distinguish routine administration from unusual command execution, remote use, or execution from unexpected accounts or hosts.
- Review false positives from software deployment, backup, patch management, inventory tools, and legitimate administrative scripts.
- Confirm visibility on shared drives and file servers, since network share discovery and encryption impact can make endpoint-only telemetry insufficient.
Mitigation priorities
- Prioritize tested, isolated, and recoverable backups for critical Windows systems and shared data stores.
- Limit administrative privileges and WMI/remote administration access to authorized users, hosts, and management paths.
- Segment access to critical file shares and enforce least-privilege permissions to reduce blast radius.
- Harden and monitor recovery mechanisms so attempts to disable or delete recovery options are visible and actionable.
- Maintain phishing-resistant user controls and email security processes because MITRE links this malware to phishing behavior.
Analyst notes and limits
This take is based only on the supplied MITRE STIX object, external references, and relationships. The object is a malware entry for INC Ransomware with Windows listed as the platform. ATT&CK relationships associate it with execution, discovery, lateral movement, initial access, stealth, and impact techniques, including WMI, phishing, lateral tool transfer, service stop, recovery inhibition, internal defacement, and data encrypted for impact.
MITRE provides no official detection text for this object, and the supplied fields do not include indicators, hashes, commands, filenames, ransom note names, or guaranteed detection logic. Local environment baselines are required to distinguish malicious behavior from legitimate administration, backup, inventory, and software deployment activity.
INC Ransomware
INC Ransomware is a ransomware strain that has been used by the INC Ransom group since at least 2023 against multiple industry sectors worldwide. INC Ransomware can employ partial encryption combined with multi-threading to speed encryption.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1120 | Peripheral Device Discovery | INC Ransomware can identify external USB and hard drives for encryption and printers to print ransom notes.CitationCybereason INC Ransomware November 2023 |
| Enterprise | T1570 | Lateral Tool Transfer | INC Ransomware can push its encryption executable to multiple endpoints within compromised infrastructure.CitationHuntress INC Ransom Group August 2023 |
| Enterprise | T1566 | Phishing | INC Ransomware campaigns have used spearphishing emails for initial access.CitationSentinelOne INC Ransomware |
| Enterprise | T1106 | Native API | INC Ransomware can use the API `DeviceIoControl` to resize the allocated space for and cause the deletion of volume shadow copy snapshots.CitationCybereason INC Ransomware November 2023 |
| Enterprise | T1652 | Device Driver Discovery | INC Ransomware can verify the presence of specific drivers on compromised hosts including Microsoft Print to PDF and Microsoft XPS Document Writer.CitationCybereason INC Ransomware November 2023 |
| Enterprise | T1490 | Inhibit System Recovery | INC Ransomware can delete volume shadow copy backups from victim machines.CitationCybereason INC Ransomware November 2023 |
| Enterprise | T1047 | Windows Management Instrumentation | INC Ransomware has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment.CitationHuntress INC Ransom Group August 2023CitationSecureworks GOLD IONIC April 2024 |
| Enterprise | T1680 | Local Storage Discovery | INC Ransomware can discover and mount hidden drives to encrypt them.CitationCybereason INC Ransomware November 2023 |
| Enterprise | T1135 | Network Share Discovery | INC Ransomware has the ability to check for shared network drives to encrypt.CitationCybereason INC Ransomware November 2023 |
| Enterprise | T1486 | Data Encrypted for Impact | INC Ransomware can encrypt data on victim systems, including through the use of partial encryption and multi-threading to speed encryption.CitationSentinelOne INC RansomwareCitationHuntress INC Ransom Group August 2023CitationCybereason INC Ransomware November 2023CitationSOCRadar INC Ransom January 2024CitationSentinelOne INC Ransomware |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | INC Ransomware can run `CryptStringToBinaryA` to decrypt base64 content containing its ransom note.CitationCybereason INC Ransomware November 2023 |
| Enterprise | T1083 | File and Directory Discovery | INC Ransomware can receive command line arguments to encrypt specific files and directories.CitationCybereason INC Ransomware November 2023CitationSentinelOne INC Ransomware |
| Enterprise | T1057 | Process Discovery | INC Ransomware can use the Microsoft Win32 Restart Manager to kill processes with a specific handle or that are accessing resources it wants to encrypt.CitationCybereason INC Ransomware November 2023 |
| Enterprise | T1489 | Service Stop | INC Ransomware can issue a command to kill a process on compromised hosts.CitationCybereason INC Ransomware November 2023 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | INC Ransomware has the ability to change the background wallpaper image to display the ransom note.CitationCybereason INC Ransomware November 2023CitationSecureworks GOLD IONIC April 2024 |
Groups, software, and campaigns
G1032: INC Ransom
INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3bf8a839a38e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne INC Ransomware
SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
Open source URL -
[2]
Huntress INC Ransom Group August 2023
Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024.
Open source URL -
[3]
Secureworks GOLD IONIC April 2024
Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
Open source URL -
[4]
mitre-attack S1139Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.