Skip to main content
Pulse · daily intelligencehigh risk

INC Ransom triples output in 24-hour surge

Published 15 hours ago · Darkfield's AI analyst reads the past 24 hours of ransomware leaks, telegram chatter and blacklist additions, then writes a one-paragraph brief at 06:00 UTC every morning.

18
Victims · 24h
incransom
Top group
7 victims
US
Top country
5 victims
Business Services
Top sector
3 victims

Today's pulse

Jul 3, 2026

By Darkfield's AI analyst·Published 15 hours ago·24h window

The dominant story of the last 24 hours is INC Ransom's 250% activity spike, jumping from 2 to 7 posted victims in a single day and accounting for nearly 39% of all 18 new postings — a surge that demands immediate attention from defenders. The US and Brazil are tied as the hardest-hit nations with 5 victims each, suggesting INC Ransom and peers are running parallel targeting campaigns across both Western and Latin American markets simultaneously. Sector exposure is broadly distributed but Healthcare and Public Sector each logged 2 victims in 24 hours, which is disproportionately concerning given the operational and safety implications of disruption in those verticals. Zooming out to the 7-day window, the ecosystem remains at an elevated tempo with 207 victims — a 31% week-over-week increase — led by TheGentlemen's 42 postings, signaling that multiple high-volume operators are active concurrently rather than any single group monopolizing the threat landscape. If INC Ransom's current pace holds or accelerates into the next cycle, it has the trajectory to challenge TheGentlemen's weekly dominance, and Brazilian organizations in Business Services and Manufacturing should treat the next 48 hours as elevated-risk exposure windows.

Get this brief every morning at 06:01 UTC.

Pro subscribers receive the daily Pulse as an email digest plus real-time alerts whenever the corpus mentions a monitored asset. Cancel any time.

This week's briefing

Forecast

Source

Pulses, briefings and forecasts are written by Darkfield's AI analyst given the day's structured intelligence: ransomware victim disclosures, blacklist additions, breach catalog deltas, Telegram entity extraction, and cross-source correlations. The source data is the same we expose throughout the rest of this site.