Skip to main content

Operator dossier

Incransom (also tracked as inc ransom, INC) is a ransomware operator currently active on public leak sites. Darkfield has indexed 1,712 public victims claimed by this operator between September 9, 2021 and July 14, 2026. Incransom is a ransomware group that emerged in August 2023, operating with primarily financial motivations as evidenced by their targeting of high-value sectors across multiple developed nations. The group's origin and specific affiliations remain undocumented by major threat intelligence organizations, though their operational patterns suggest they likely operate independently rather than as a ransomware-as-a-service model. With 734 documented victims, Incransom has demonstrated a preference for targeting organizations in the United States, Canada, United Kingdom, Germany, and Australia, with particular focus on healthcare, technology, business services, and manufacturing sectors, though their attack methodology and specific technical capabilities have not been extensively documented by established security researchers or government agencies. The group's notable campaigns and specific high-profile victims have not been publicly detailed by CISA, FBI, Mandiant, or other reputable threat intelligence sources, suggesting either operational security effectiveness or limited visibility into their most significant operations. Based on available intelligence, Incransom appears to remain active as of recent reporting periods, though comprehensive analysis of their current operational status requires additional documentation from established threat intelligence sources.

Most-targeted sectors

Most-affected countries

Recent disclosures by Incransom

Most recent 150 of 1,712 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Incransom

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Incransom

aka inc ransom, INC · 1,712 victims indexed · first seen 5 years ago · last activity 13 hours ago

1,712
Victims indexed
#5 of 364 tracked operators
4y 10m
Active period
Sep 2021 → Jul 2026
30
Countries hit
top United States · 870

At a glance

Status
active
Aliases
inc ransom, INC
First seen
5 years ago
Last activity
13 hours ago
Onion sites
17 known endpoints
Primary sector
Not Found · 381 hits

About

Incransom is a ransomware group that emerged in August 2023, operating with primarily financial motivations as evidenced by their targeting of high-value sectors across multiple developed nations. The group's origin and specific affiliations remain undocumented by major threat intelligence organizations, though their operational patterns suggest they likely operate independently rather than as a ransomware-as-a-service model. With 734 documented victims, Incransom has demonstrated a preference for targeting organizations in the United States, Canada, United Kingdom, Germany, and Australia, with particular focus on healthcare, technology, business services, and manufacturing sectors, though their attack methodology and specific technical capabilities have not been extensively documented by established security researchers or government agencies. The group's notable campaigns and specific high-profile victims have not been publicly detailed by CISA, FBI, Mandiant, or other reputable threat intelligence sources, suggesting either operational security effectiveness or limited visibility into their most significant operations. Based on available intelligence, Incransom appears to remain active as of recent reporting periods, though comprehensive analysis of their current operational status requires additional documentation from established threat intelligence sources.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

24 months
2024-07-01T00:00:00+00:00 · 322024-08-01T00:00:00+00:00 · 202024-09-01T00:00:00+00:00 · 232024-10-01T00:00:00+00:00 · 102024-11-01T00:00:00+00:00 · 572024-12-01T00:00:00+00:00 · 222025-01-01T00:00:00+00:00 · 572025-02-01T00:00:00+00:00 · 292025-03-01T00:00:00+00:00 · 602025-04-01T00:00:00+00:00 · 382025-05-01T00:00:00+00:00 · 432025-06-01T00:00:00+00:00 · 522025-07-01T00:00:00+00:00 · 1182025-08-01T00:00:00+00:00 · 492025-09-01T00:00:00+00:00 · 1052025-10-01T00:00:00+00:00 · 732025-11-01T00:00:00+00:00 · 1062025-12-01T00:00:00+00:00 · 682026-01-01T00:00:00+00:00 · 902026-02-01T00:00:00+00:00 · 842026-03-01T00:00:00+00:00 · 1042026-04-01T00:00:00+00:00 · 402026-05-01T00:00:00+00:00 · 432026-06-01T00:00:00+00:00 · 26
2024-07-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
870
🇨🇦 Canada
95
🇬🇧 United Kingdom
83
🇺🇸 United States
68
🇩🇪 Germany
67
🇦🇺 Australia
38
🇫🇷 France
32
🇦🇹 Austria
20

Top sectors

Healthcare
218
Technology
186
Business Services
166
Manufacturing
135
Education
98
Public Sector
60
Government
57
Transportation/Logistics
50

MITRE ATT&CK

25 techniques · 13 tactics

Tactics

CollectionCommand And ControlDefense ImpairmentDiscoveryExecutionExfiltrationImpactInitial AccessLateral MovementPersistencePrivilege EscalationResource DevelopmentStealth

Techniques

Recent victims

Loading…

Onion infrastructure

17 known
  • http://incapt.blog
  • http://incapt.su
  • http://incbacg6bfwtrlzwdbqc55gsfl763s3twdtwhp27dzuik6s6rwdcityd.onion
  • http://incbacg6bfwtrlzwdbqc55gsfl763s3twdtwhp27dzuik6s6rwdcityd.onion/api/v1/blog/get/announcements?page=1&perPage=15
  • http://incbackend.top
  • http://incbackfgm7qa7sioq7r4tdunoaqsvzjg5i7w46bhqlfonwjgiemr7qd.onion
  • http://incbackfgm7qa7sioq7r4tdunoaqsvzjg5i7w46bhqlfonwjgiemr7qd.onion/api/v1/blog/get/announcements?page=1&perPage=15
  • http://incbackrlasjesgpfu5brktfjknbqoahe2hhmqfhasc5fb56mtukn4yd.onion
  • http://incbackrlasjesgpfu5brktfjknbqoahe2hhmqfhasc5fb56mtukn4yd.onion/api/blog/get-leaks
  • http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion
  • http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures
  • http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion
  • + 5 more endpoints

Source

Updated 13 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Incransom posts a victim.

Add Incransom to your watchlist — Pro pings you within 5 minutes of any new Incransom leak-site post, Telegram callout, or affiliate-rebrand inference.