Menu
Browse

Cyber Threat Actor: Roman Khubov

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
1 incident
Profile

The threat actor known as Roman Khubov, operating under the alias blackod, is linked to the INC ransomware group. This group has been active in targeting healthcare organizations across the Oceania region. In June 2025, authorities attributed a high-impact attack on Tonga's Ministry of Health to Khubov, marking a significant incident where the group directly targeted a national health authority rather than individual facilities. The attack resulted in the disruption of information and communications networks, effectively shutting down core national health services. This incident underscores the group's focus on the healthcare sector and its capacity to cause widespread operational paralysis.

The INC ransomware group employs a multi-stage intrusion methodology. Initial access is typically gained through one of three vectors: compromised user accounts, spear-phishing campaigns, or the exploitation of known software vulnerabilities. Once initial foothold is established, the actors move laterally across the network to expand their presence, often leveraging legitimate credentials and tools to avoid detection. They then escalate privileges to obtain administrative or system-level access, which enables the deployment of ransomware payloads. The group's approach is methodical, allowing them to infiltrate deeply into targeted environments before executing the final encryption stage. In the Tonga attack, the group bypassed individual health facilities and directly compromised the Ministry of Health's central systems, indicating a strategic preference for high-value targets that can amplify the impact of the ransomware deployment.

The disruption caused by the Tonga Ministry of Health attack had immediate and severe consequences for the nation's healthcare delivery, as core services were rendered inoperable. This aligns with a broader pattern observed in the group's campaign against healthcare providers in Oceania, where the interruption of critical medical functions can endanger patient care and public health. The deployment of ransomware in the Tonga attack resulted in the disruption of information and communications networks, effectively shutting down core national health services. Attribution of the attack to Roman Khubov by authorities highlights the ongoing efforts to identify and hold accountable individuals behind such operations. The INC ransomware group's continued focus on the healthcare sector demonstrates a concerning trend of threat actors exploiting vulnerabilities in systems that are essential to community well-being. The group's sustained targeting of healthcare indicates an ongoing threat to the stability of health services across the region.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources