Operator dossier

INC RANSOM - new is a ransomware operator currently active on public leak sites.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

INC RANSOM - new

0 victims indexed

Victims indexed

—

Active period

—

Countries hit

At a glance

Status: active
First seen: —
Last activity: —
Onion sites: 1 known endpoint

MITRE ATT&CK

25 techniques · 13 tactics

Tactics

CollectionCommand And ControlDefense ImpairmentDiscoveryExecutionExfiltrationImpactInitial AccessLateral MovementPersistencePrivilege EscalationResource DevelopmentStealth

Techniques

T1021.001Remote Desktop Protocol
T1036.005Match Legitimate Resource Name or Location
T1046Network Service Discovery
T1047Windows Management Instrumentation
T1049System Network Connections Discovery
T1059.003Windows Command Shell
T1069.002Domain Groups
T1070.004File Deletion
T1071Application Layer Protocol
T1074Data Staged
T1078Valid Accounts
T1087.002Domain Account
T1105Ingress Tool Transfer
T1135Network Share Discovery
T1190Exploit Public-Facing Application
T1219Remote Access Tools
T1486Data Encrypted for Impact
T1537Transfer Data to Cloud Account
T1560.001Archive via Utility
T1566Phishing
T1569.002Service Execution
T1570Lateral Tool Transfer
T1588.002Tool
T1657Financial Theft
T1685Disable or Modify Tools

Recent victims

Loading…

Onion infrastructure

1 known

http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion

Source

Updated recently

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.