🇷🇺 INC Ransom¶
Threat-actor battle card · maintained from public sources · last updated 2026-06-23 · also known as GOLD IONIC, IncRansom, Inc. Ransom
Overview¶
INC Ransom (also known as GOLD IONIC) is a ransomware-as-a-service (RaaS) group that emerged in August 2023 and has grown into one of the most prolific ransomware operations in 2026, claiming over 830 victims since launch. US organizations account for over 65% of victims. Top targeted sectors: legal services, manufacturing, healthcare, technology, and construction. The group runs a structured affiliate programme and has attracted experienced operators from disrupted ransomware operations. No publicly confirmed operator identities; cybersecurity researchers attribute Russian-speaking criminal involvement.
Tradecraft¶
- Initial access: Spear-phishing, IAB-purchased credentials, and exploitation of public-facing application vulnerabilities — notably CVE-2023-3519 (Citrix NetScaler), CVE-2023-48788 (Fortinet EMS), CVE-2024-57727 (SimpleHelp RMM), CVE-2025-5777 (Citrix NetScaler Bleed 2).
- Encryptor: Rust-based cross-platform locker (Windows and Linux/ESXi builds); complicates static analysis and enables efficient cross-platform campaigns.
- Extortion model: Double extortion — data exfiltration before encryption, threat of public DLS release.
- Printer ransom-note delivery: On successful encryption, the malware scans the compromised network for active printers and automatically prints physical copies of the ransom demand — a documented escalation tactic since 2024.
- Backup targeting: Modified credential dumper supporting Veeam's salted DPAPI encryption (newer deployments), specifically designed to compromise backup infrastructure and eliminate recovery options.
- Hands-on-keyboard style: Uses legitimate remote-management tools for lateral movement (consistent with affiliate operating procedures from post-LockBit/RansomHub disruption pool).
- Recent surge (June 2026): Claimed attacks against 10 law firms and legal services organizations within a 48-hour window — indicates a coordinated affiliate campaign against the legal sector.
Notable victims¶
- NHS Scotland (Dumfries and Galloway) — public health/UK — March 2024; 3 TB of sensitive patient and staff data claimed; one of the first major public-sector attacks by this group; data published after ransom refused. The Register
- Xerox Business Solutions (technology/US) — 2024; confirmed breach via Xerox public disclosure.
- Framesi (professional beauty/cosmetics manufacturing, Italy) — DLS claim seen 2026-06-17.
- Jasper Plastics Solutions (manufacturing, US) — DLS claim seen 2026-06-17.
Assessment¶
INC Ransom is a durable, high-volume RaaS with consistent growth since 2023. The Rust cross-platform encryptor and Veeam-specific credential dumper indicate sustained development investment — this is not a commodity kit. The deliberate concentration on legal services, which holds high-value litigation, IP, and client-privilege data, reflects strategic targeting for maximum extortion leverage. Organizations with Citrix or Fortinet EMS exposure should treat INC as an active near-term threat. The June 2026 law-firm campaign surge warrants immediate attention from general counsel and legal operations teams.
Sources¶
- Sophos — GOLD IONIC Deploys INC Ransomware
- MITRE ATT&CK — INC Ransom / GOLD IONIC, Group G1032
- Australian Cyber Security Centre — INC Ransom affiliate model advisory
- Halcyon — INC Ransom campaign against law firms
- Acronis — From emerging threat to top-tier RaaS: The evolution of INC ransomware
- The Hacker News — INC Ransomware claims 830+ victims since 2023
- The Register — INC Ransom claims NHS Scotland attack
- Dark Reading — INC Ransomware Thrives by Mastering the Basics
🗂️ Attacks & victims¶
All disclosed victims attributed to this actor, newest first.
June 2026