Operator dossier

Incransom (also tracked as inc ransom) is a ransomware operator currently active on public leak sites. Darkfield has indexed 805 public victims claimed by this operator between August 9, 2023 and May 19, 2026. Incransom is a ransomware group that emerged in August 2023, operating with primarily financial motivations as evidenced by their targeting of high-value sectors across multiple developed nations. The group's origin and specific affiliations remain undocumented by major threat intelligence organizations, though their operational patterns suggest they likely operate independently rather than as a ransomware-as-a-service model. With 734 documented victims, Incransom has demonstrated a preference for targeting organizations in the United States, Canada, United Kingdom, Germany, and Australia, with particular focus on healthcare, technology, business services, and manufacturing sectors, though their attack methodology and specific technical capabilities have not been extensively documented by established security researchers or government agencies. The group's notable campaigns and specific high-profile victims have not been publicly detailed by CISA, FBI, Mandiant, or other reputable threat intelligence sources, suggesting either operational security effectiveness or limited visibility into their most significant operations. Based on available intelligence, Incransom appears to remain active as of recent reporting periods, though comprehensive analysis of their current operational status requires additional documentation from established threat intelligence sources.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Incransom

aka inc ransom · 805 victims indexed · first seen 3 years ago · last activity 1 day ago

805

Victims indexed

#12 of 348 tracked operators

2y 9m

Active period

Aug 2023 → May 2026

Countries hit

top United States · 388

At a glance

Status: active
Aliases: inc ransom
First seen: 3 years ago
Last activity: 1 day ago
Onion sites: 12 known endpoints
Primary sector: Not Found · 177 hits

About

Incransom is a ransomware group that emerged in August 2023, operating with primarily financial motivations as evidenced by their targeting of high-value sectors across multiple developed nations. The group's origin and specific affiliations remain undocumented by major threat intelligence organizations, though their operational patterns suggest they likely operate independently rather than as a ransomware-as-a-service model. With 734 documented victims, Incransom has demonstrated a preference for targeting organizations in the United States, Canada, United Kingdom, Germany, and Australia, with particular focus on healthcare, technology, business services, and manufacturing sectors, though their attack methodology and specific technical capabilities have not been extensively documented by established security researchers or government agencies. The group's notable campaigns and specific high-profile victims have not been publicly detailed by CISA, FBI, Mandiant, or other reputable threat intelligence sources, suggesting either operational security effectiveness or limited visibility into their most significant operations. Based on available intelligence, Incransom appears to remain active as of recent reporting periods, though comprehensive analysis of their current operational status requires additional documentation from established threat intelligence sources.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/inc ransom

Timeline

24 months

2024-04-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States

388

🇨🇦 Canada

🇬🇧 United Kingdom

🇩🇪 Germany

🇦🇺 Australia

🇫🇷 France

🇮🇹 Italy

🇦🇹 Austria

United States dossier →Canada dossier →United Kingdom dossier →Germany dossier →

Top sectors

Not Found

177

Healthcare

100

Technology

Business Services

Manufacturing

Education

Public Sector

Government

Not Found dossier →Healthcare dossier →Technology dossier →Business Services dossier →

MITRE ATT&CK

25 techniques · 13 tactics

Tactics

CollectionCommand And ControlDefense ImpairmentDiscoveryExecutionExfiltrationImpactInitial AccessLateral MovementPersistencePrivilege EscalationResource DevelopmentStealth

Techniques

T1021.001Remote Desktop Protocol
T1036.005Match Legitimate Resource Name or Location
T1046Network Service Discovery
T1047Windows Management Instrumentation
T1049System Network Connections Discovery
T1059.003Windows Command Shell
T1069.002Domain Groups
T1070.004File Deletion
T1071Application Layer Protocol
T1074Data Staged
T1078Valid Accounts
T1087.002Domain Account
T1105Ingress Tool Transfer
T1135Network Share Discovery
T1190Exploit Public-Facing Application
T1219Remote Access Tools
T1486Data Encrypted for Impact
T1537Transfer Data to Cloud Account
T1560.001Archive via Utility
T1566Phishing
T1569.002Service Execution
T1570Lateral Tool Transfer
T1588.002Tool
T1657Financial Theft
T1685Disable or Modify Tools

Recent victims

Loading…

Onion infrastructure

12 known

http://incapt.blog
http://incapt.su
http://incbacg6bfwtrlzwdbqc55gsfl763s3twdtwhp27dzuik6s6rwdcityd.onion
http://incbacg6bfwtrlzwdbqc55gsfl763s3twdtwhp27dzuik6s6rwdcityd.onion/api/v1/blog/get/announcements?page=1&perPage=15
http://incbackend.top
http://incbackfgm7qa7sioq7r4tdunoaqsvzjg5i7w46bhqlfonwjgiemr7qd.onion
http://incbackfgm7qa7sioq7r4tdunoaqsvzjg5i7w46bhqlfonwjgiemr7qd.onion/api/v1/blog/get/announcements?page=1&perPage=15
http://incbackrlasjesgpfu5brktfjknbqoahe2hhmqfhasc5fb56mtukn4yd.onion
http://incbackrlasjesgpfu5brktfjknbqoahe2hhmqfhasc5fb56mtukn4yd.onion/api/blog/get-leaks
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion

Source

Updated 1 day ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.