Cyber Threat Actor: INC Ransomware
| Actor Type | Location | Known Incidents |
Criminal
|
United Kingdom
|
3 incidents |
|---|
Profile
INC Ransomware, also referred to as INC Ransomware, is a ransomware group that has been publicly associated with activity in the United Kingdom, the United States, and Hungary. The actor’s known alias is INC Ransomware and open sources describe its base of operations as being in the United Kingdom. Targeting observed across the reported incidents includes government agencies responsible for military and law‑enforcement procurement, emergency‑service alert vendors, and educational or publishing institutions such as a university press. In the Hungarian case the group struck a state agency that handles defence procurement, while in the United States it compromised the vendor that supplies the CodeRED platform used for county emergency alerts, and in the United Kingdom it targeted Cambridge University Press & Assessment. The group’s objectives have been explicitly financial, seeking ransom payments in exchange for decryption keys and the non‑release of stolen data, as shown by the $5 million demand made to the Hungarian agency and the double‑extortion approach used against Cambridge. These operations also produced clear disruption, notably the week‑long loss of access to the alert system in Spokane County that forced the decommissioning of the legacy platform and required the county to route messages through state and federal warning centers.
The tactics described in the public reports involve the deployment of ransomware that encrypts files while simultaneously exfiltrating sensitive information for use in double‑extortion schemes. The group has repeatedly threatened to publish stolen data unless a ransom is paid, exemplified by the leak of procurement documents, financial reports and internal emails from the Hungarian agency and the threat to release supplier invoices and service contracts from Cambridge University Press & Assessment. No specific initial‑access vector, malware family beyond the INC Ransomware payload, or particular toolset has been detailed in the available sources. Attribution to a state sponsor or to a larger criminal consortium has not been established in any of the cited incidents, and the only confirmed geographic detail is the group’s reported location in the United Kingdom. Representative operations that illustrate the group’s pattern include the Spokane County alert‑system breach, the Hungarian procurement‑agency attack, and the Cambridge University Press & Assessment incident. Together these cases show a consistent approach of ransomware deployment, data theft, and public‑leak threats intended to extract financial payments while causing service interruption and operational disruption.
