← threatfilter.dev / all groups / INC Ransom
INC Ransom
Also known as: GOLD IONIC
Overview
INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ransomware that has been active since at least July 2023. INC Ransom has targeted organizations worldwide most commonly in the industrial, healthcare, and education sectors in the US and Europe.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 25 techniques across 11 tactics
Resource Development
-
T1588.002Tool
Initial Access
-
T1190Exploit Public-Facing Application -
T1566Phishing
Execution
-
T1047Windows Management Instrumentation -
T1059.003Windows Command Shell -
T1569.002Service Execution
Stealth
-
T1036.005Match Legitimate Resource Name or Location -
T1070.004File Deletion -
T1078Valid Accounts
Defense Impairment
-
T1685Disable or Modify Tools
Discovery
-
T1046Network Service Discovery -
T1049System Network Connections Discovery -
T1069.002Domain Groups -
T1087.002Domain Account -
T1135Network Share Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1570Lateral Tool Transfer
Collection
-
T1074Data Staged -
T1560.001Archive via Utility
Command and Control
-
T1071Application Layer Protocol -
T1105Ingress Tool Transfer -
T1219Remote Access Tools
Exfiltration
Impact
-
T1486Data Encrypted for Impact -
T1657Financial Theft
Tools & malware (8)
Tor · PsExec · Nltest · Rclone · AdFind · Net · esentutl · INC Ransomware
Reporting (3)
- GOLD IONIC DEPLOYS INC RANSOMWARE — Counter Threat Unit Research Team
- INC Ransom threatens to leak 3TB of NHS Scotland stolen data — Toulas, B
- Threat Alert: INC Ransomware — Cybereason Security Research Team