Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.
INC Ransom has grown into a major ransomware-as-a-service operation. June 2026 vendor CTI reporting describes INC as one of the more active ransomware groups, with more than 800 claimed victims since 2023.
Internet-facing systems
Double extortion
Encryption
Data theft
Leak site pressure
Fast encryption
Partial encryption
Ransom note printing
Exploitation of internet-facing systems
Spearphishing
Purchased credentials
Public leak threats
Multi-threaded encryption
RDP lateral movement
WMI Provider Host payload deployment
INC Ransomware is a threat actor group that emerged in July 2023.
INC Ransomware encrypts victims' data and demands ransom payments for decryption.
INC Ransomware engages in data theft and threatens to publicly leak stolen information if ransom is not paid.
INC Ransomware has been particularly active in targeting the healthcare sector.
INC Ransomware intensifies urgency to pay due to the sensitive nature of stolen data, such as patient records.
INC Ransomware attacks have not been widely reported, indicating limited activity.
INC Ransomware maintains a dark web presence where it leaks stolen victim data and possibly communicates ransom demands.
Recent claims of a ransomware attack on NHS Scotland brought INC Ransom into the spotlight within the cybersecurity community, healthcare institutions, and mainstream media.
INC Ransomware is associated with the deployment of INC Ransomware malware, which has been active since at least July 2023.
INC Ransomware has targeted organizations worldwide, most commonly in the industrial, healthcare, and education sectors in the United States and Europe.
INC Ransomware is also known by aliases such as G1032, GOLD IONIC, and INC Ransom.
INC Ransomware malware is related to Interlock and Storm-0494.
INC Ransomware primarily affects Windows platforms.
INC Ransomware employs partial encryption combined with multi-threading to expedite the encryption process.
INC Ransomware utilizes RDP for lateral movement.
INC Ransomware employs the WMI Provider Host to deploy the ransomware payload.
Microsoft identified INC Ransomware activity as part of a campaign targeting the U.S. health sector.
INC Ransomware motivation is primarily financial.
Patch internet-facing systems
Harden and monitor RDP and external remote services
Enforce multifactor authentication for privileged and remote access
Monitor use of legitimate administrative tools such as WMIC and PsExec
Monitor WMI-based payload deployment
Restrict access to connected printers and monitor unusual print activity
Maintain offline or immutable backups
Understanding threat actor capabilities is only half the battle—the other half is knowing whether your organization is in their crosshairs. See how Bitsight threat intelligence helps you move from observation to action.