Menu
Browse

Cyber Threat Actor: INC Ransom

Actor Type Location Known Incidents
 Icon
Criminal
United States of America
5 incidents
Profile

INC Ransom, also observed as Incransom, is a ransomware threat actor that has been publicly linked to a series of data‑exfiltration and extortion incidents across multiple industries and geographic regions. The actor’s known alias appears in leak‑site postings and victim notifications, and open‑source reporting indicates a operational base in the United States of America. Targeted sectors identified in the disclosed cases include auditing and consulting, health‑insurance, cultural foundations, medical service providers, and corporate subsidiaries, with victims located in the United States, Italy, and the Czech Republic. The actor’s stated objective, as demonstrated in the ransom notes and leak‑site communications, is financial gain through the threat of releasing stolen personal and corporate data unless a ransom payment is made.

Reported operations show a consistent pattern of network intrusion followed by the exfiltration of large volumes of data—ranging from hundreds of gigabytes to over eight hundred gigabytes—after which samples are published to validate the breach and pressure victims into negotiation. The actor relies on ransomware payloads to encrypt systems while simultaneously copying files containing personally identifiable information, financial records, health data, and internal business documents; the stolen material is then uploaded to a public leak site for potential download. No specific malware families, initial‑access vectors, or auxiliary tools are detailed in the available sources, so the profile refrains from speculating on those technical aspects. Attribution information is limited to the geographic indication of United States‑based activity, with no publicly asserted ties to state sponsors or larger criminal consortia. Representative incidents that illustrate the actor’s methodology include the ransomware attack on Beacon Mutual Insurance Co., the breach of the Biennale di Venezia, the data theft at Sandhills Medical Foundation, the listing of FIZA a.s. on a leak site, and the cybersecurity event affecting Xerox’s XBS subsidiary. These cases collectively demonstrate the actor’s focus on stealing sensitive data for extortion rather than purely disruptive or espionage‑driven motives.

Incidents
Attributed incidents available to members
5 incidents
Sources
Sources available to members
0 sources