Threat Actor Profile: INC Ransom 

INC Ransom, also known by the name GOLD IONIC, is a highly active ransomware and data extortion group that has been operating since at least July 2023. With a focus on targeting a wide range of industries across multiple continents, INC Ransom is known for its sophisticated tactics and the use of multiple malware families to execute its attacks. 

Particularly notorious for its attacks on sectors like healthcare, education, and industrial organizations, INC Ransom has demonstrated its ability to affect a broad array of victims globally, with a concentration on the United States and Europe. INC Ransom typically deploys ransomware to encrypt data and extort payments from victims. This threat group has been linked to a variety of malicious tools and techniques to compromise systems, gain unauthorized access, and conduct data exfiltration.  

INC Ransom’s operational methods are sophisticated, leveraging several malware families to achieve different stages of their attacks. These include tools like AdFind (an information stealer), PsExec (a remote command tool), and Rclone (a cloud storage tool), among others.  

The deployment of these tools reflects the group’s ability to manipulate both Windows and network environments to infiltrate and maintain control over targeted systems. 

Targeted Countries and Sectors 

Cyble Vision Threat Library (Source: Cyble Vision) 

INC Ransom has extended its malicious operations across a wide global spectrum, targeting a variety of countries such as Austria, Australia, Chile, Czech Republic, Germany, Spain, France, the United Kingdom, Hong Kong, Hungary, Indonesia, Ireland, Italy, Malta, Netherlands, Peru, Philippines, Pakistan, Portugal, Romania, South Africa, Seychelles, the United States, and Zambia.  

The group’s reach is extensive, as it has successfully infiltrated a broad array of industries, including aerospace and defense, automotive, agriculture and livestock, energy and utilities, healthcare, government and law enforcement, pharmaceuticals and biotechnology, technology and IT services, telecommunications, and transportation and logistics.  

Tactics, Techniques, and Procedures (TTPs) 

INC Ransom follows a standard but highly effective attack methodology, utilizing a variety of tactics, techniques, and procedures (TTPs) as described in the MITRE ATT&CK framework. These include: 

• Initial Access: INC Ransom often gains initial access through the exploitation of public-facing applications such as CVE-2023-3519 in Citrix NetScaler, or by utilizing phishing techniques to manipulate users into executing malicious payloads. 

• Execution: Once inside the system, the group uses tools like Windows Management Instrumentation (WMIC), Windows Command Shell, and Service Execution to deploy the ransomware payload across the compromised network. Their choice of these execution tools enables them to run ransomware discreetly and bypass certain security measures. 

• Persistence and Evasion: To maintain persistence within the network, INC Ransom uses valid accounts that have been compromised, as well as tactics like file deletion and the use of SystemSettingsAdminFlows.exe to disable security features such as Windows Defender. They also rename malicious files to resemble legitimate system files, such as using PsExec with the name “winupd,” which helps them evade detection. 

• Discovery: After establishing a foothold, INC Ransom conducts thorough reconnaissance within the victim’s network, using tools such as NETSCAN.EXE for network service discovery and RDP to test network connections. They also search for domain admin accounts and conduct domain group enumeration, all aimed at preparing for lateral movement within the environment. 

• Lateral Movement: Once they have mapped out the network, INC Ransom uses Remote Desktop Protocol (RDP) and Lateral Tool Transfer to spread the ransomware across other systems within the network, ensuring maximum disruption. 

• Data Collection and Exfiltration: The group stages data on compromised hosts, archiving it with tools like 7-Zip or WinRAR before exfiltrating it to cloud storage using Megasync. This exfiltration not only serves to increase the pressure on victims by threatening to release sensitive information but also amplifies the potential financial impact of the attack. 

• Impact: As the name suggests, INC Ransomware is used to encrypt data, effectively locking victims out of critical information. The group extorts payment in exchange for decryption keys or the promise to keep the stolen data confidential. The threat of exposure or data leakage is often used as leverage to force quick payments. 

Tool Usage and Custom Malware 

INC Ransom has a diverse toolkit at its disposal, utilizing a mix of custom and off-the-shelf malware families to execute its attacks. The group makes use of a variety of network discovery and exfiltration tools including Rclone, Tor, and cloud-based services like Megasync to facilitate their activities. These tools give them the ability to hide their activities, exfiltrate data with minimal trace, and expand their operations across multiple targets. 

Conclusion 

As of early 2025, INC Ransom remains a malicious threat, particularly to industries like healthcare and government. Their use of advanced ransomware techniques and powerful extortion methods makes them a highly skilled group.  To fight these threats, organizations must adopt proactive cybersecurity measures. 

With the growing complexity of cybercrime, Cyble offers AI-powered cybersecurity solutions like Cyble Vision, designed to help organizations stay protected at all times. By leveraging Cyble’s advanced threat intelligence, businesses can enhance their defenses and effectively protect against cybercriminals like INC Ransom. 

Defensive Measures and Recommendations 

Some recommended defenses against groups like INC Ransom include: 

• Regular Patching: Ensuring that all known vulnerabilities, especially those in public-facing applications, are patched promptly. This can help mitigate the initial access methods that groups like INC Ransom often exploit. 

• User Awareness and Phishing Training: Since phishing is a common entry point for ransomware groups, educating employees to recognize suspicious emails and links is crucial. 

• Endpoint Protection: Deploying advanced endpoint detection and response (EDR) solutions can help detect and block ransomware at an early stage. 

• Network Segmentation: Isolating critical systems within a segmented network can prevent ransomware from spreading across an entire organization. 

• Regular Backups: Having regular, offline backups of critical data ensures that organizations can recover quickly without paying ransoms. 

MITRE Attack Techniques Associated with INC Ransom 

MITRE ATT&CK (Source: Cyble Vision)  

• Exploit Public-Facing Application (T1190): Exploited known vulnerabilities such as CVE-2023-3519 in Citrix NetScaler for initial access. 

• Phishing (T1566): Used phishing to gain initial access. 

• Windows Management Instrumentation (T1047): Used WMIC to deploy ransomware. 

• Windows Command Shell (T1059.003): Used cmd.exe to launch malicious payloads. 

• Service Execution (T1569.002): Ran file encryption executable via Service Control Manager/7045;winupd,%SystemRoot%\winupd.exe,user mode service,demand start,LocalSystem. 

• Valid Accounts (T1078): Used compromised valid accounts for access. 

• Match Legitimate Name or Location (T1036.005): Named PsExec executable as winupd to mimic a legitimate Windows update. 

• File Deletion (T1070.004): Uninstalled tools from compromised endpoints after use. 

• Disable or Modify Tools (T1562.001): Used SystemSettingsAdminFlows.exe to disable Windows Defender. 

• Network Service Discovery (T1046): Used NETSCAN.EXE for internal reconnaissance. 

• System Network Connections Discovery (T1049): Used RDP to test network connections. 

• Domain Groups (T1069.002): Enumerated domain groups on targeted hosts. 

• Domain Account (T1087.002): Scanned for domain admin accounts in compromised environments. 

• Network Share Discovery (T1135): Used Internet Explorer to view folders on other systems. 

• Remote Desktop Protocol (T1021.001): Used RDP to move laterally. 

• Lateral Tool Transfer (T1570): Used rapid succession of copy commands to install file encryption executables across multiple endpoints. 

• Data Staged (T1074): Staged data on compromised hosts prior to exfiltration. 

• Archive via Utility (T1560.001): Used 7-Zip and WinRAR to archive collected data. 

• Transfer Data to Cloud Account (T1537): Used Megasync to exfiltrate data to the cloud. 

• Application Layer Protocol (T1071): Used valid accounts over RDP to connect to targeted systems. 

• Ingress Tool Transfer (T1105): Downloaded tools to compromised servers, including Advanced IP Scanner. 

• Remote Access Software (T1219): Used AnyDesk and PuTTY on compromised systems. 

• Data Encrypted for Impact (T1486): Used INC Ransomware to encrypt victim’s data. 

• Financial Theft (T1657): Stole and encrypted data to extort payment for decryption or keeping it private. 

• Tool (T1588.002): Acquired and used several tools.