Threat Actor Profile

INC Ransom

Aliases
  • G1032
  • GOLD IONIC
  • INC Ransom
Origin
Russia
Active Since
2023-07-01
Motivation
Financial gain, Extortion, Data theft
Cause
Cybercriminal
Recent Activity

INC Ransom has grown into a major ransomware-as-a-service operation. June 2026 vendor CTI reporting describes INC as one of the more active ransomware groups, with more than 800 claimed victims since 2023.

Primary Targets
  • Healthcare organizations
  • Education organizations
  • Industrial organizations
  • Manufacturing organizations
  • U.S. health sector organizations
Target Locations
  • United States
  • Europe
  • Worldwide
Target Sectors
  • Healthcare
  • Education
  • Industrial
  • Manufacturing
Vulnerabilities

Internet-facing systems

Techniques
  • Double extortion

  • Encryption

  • Data theft

  • Leak site pressure

  • Fast encryption

  • Partial encryption

  • Ransom note printing

  • Exploitation of internet-facing systems

  • Spearphishing

  • Purchased credentials

  • Public leak threats

  • Multi-threaded encryption

  • RDP lateral movement

  • WMI Provider Host payload deployment

Malware Tools
  • INC Ransomware malware
  • WMIC
  • PsExec
  • Netscan
  • RDP
  • WMI Provider Host
Bitsight Contextualized Intelligence
  • INC Ransomware is a threat actor group that emerged in July 2023.

  • INC Ransomware encrypts victims' data and demands ransom payments for decryption.

  • INC Ransomware engages in data theft and threatens to publicly leak stolen information if ransom is not paid.

  • INC Ransomware has been particularly active in targeting the healthcare sector.

  • INC Ransomware intensifies urgency to pay due to the sensitive nature of stolen data, such as patient records.

  • INC Ransomware attacks have not been widely reported, indicating limited activity.

  • INC Ransomware maintains a dark web presence where it leaks stolen victim data and possibly communicates ransom demands.

  • Recent claims of a ransomware attack on NHS Scotland brought INC Ransom into the spotlight within the cybersecurity community, healthcare institutions, and mainstream media.

  • INC Ransomware is associated with the deployment of INC Ransomware malware, which has been active since at least July 2023.

  • INC Ransomware has targeted organizations worldwide, most commonly in the industrial, healthcare, and education sectors in the United States and Europe.

  • INC Ransomware is also known by aliases such as G1032, GOLD IONIC, and INC Ransom.

  • INC Ransomware malware is related to Interlock and Storm-0494.

  • INC Ransomware primarily affects Windows platforms.

  • INC Ransomware employs partial encryption combined with multi-threading to expedite the encryption process.

  • INC Ransomware utilizes RDP for lateral movement.

  • INC Ransomware employs the WMI Provider Host to deploy the ransomware payload.

  • Microsoft identified INC Ransomware activity as part of a campaign targeting the U.S. health sector.

  • INC Ransomware motivation is primarily financial.

Defensive Takeaways
  • Patch internet-facing systems

  • Harden and monitor RDP and external remote services

  • Enforce multifactor authentication for privileged and remote access

  • Monitor use of legitimate administrative tools such as WMIC and PsExec

  • Monitor WMI-based payload deployment

  • Restrict access to connected printers and monitor unusual print activity

  • Maintain offline or immutable backups

How Bitsight Helps

Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.

Request threat intel demo