Threat Actor

Inc Ransomware

Description

INC Ransom (also Incransom) is a ransomware-as-a-service (RaaS) group that emerged in mid-2023, also known as GOLD IONIC. They use spearphishing techniques along with double extortion—exfiltrating data before encryption and threatening leaks.

The group operates professionally with affiliates, primarily targeting North America and Europe across healthcare, manufacturing, government, and education sectors.

Aliases

Incransom
GOLD IONIC

Common Vulnerabilities and Exposures

Targeted Industries

Construction
Education
Government
Healthcare
Industrial
Manufacturing
Professional Services

Objectives

Financial Gain

Known Tools Used

7-Zip
AdFind
Advanced IP Scanner
AnyDesk
esentutl
MegaSync
Meterpreter
NETSCAN.EXE
Net
Nltest
PsExec
PuTTY
Rclone
Tor
WinRAR
WMIC

Known Infection Vectors

Exploiting public-facing applications (CVE-2023-3519 Citrix Bleed)
Phishing for initial access
Using compromised valid accounts (RDP/VPN)
Partnerships with initial access brokers (GootLoader)

References

Inc Ransom

https://attack.mitre.org/groups/G1032/

6333

Published

Apr 05, 2026

Threat Actor Type

Ransomware-as-a-Service (RaaS)

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Actor

Inc Ransomware

Description

Aliases

Common Vulnerabilities and Exposures

Targeted Industries

Objectives

Known Tools Used

Known Infection Vectors

References

Active CVEs

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

Threat Actor

Inc Ransomware

Description

Aliases

Common Vulnerabilities and Exposures

Targeted Industries

Objectives

Known Tools Used

Known Infection Vectors

References

Active CVEs

Threat Intelligence
Center