Cyber Threat Actor: INC ransomware gang
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
0 incidents |
|---|
Profile
The INC ransomware gang operates as a cybercriminal group engaging in data theft and extortion. Publicly identified by its singular alias, the group gained attention through its breach of the State Bar of Texas in early 2025. This incident demonstrated their focus on compromising organizational networks to exfiltrate sensitive information, which they subsequently weaponized for coercive purposes. The gang maintains an extortion platform to pressure victims by leaking stolen data samples, a tactic employed during the Texas breach to validate their claims and intensify negotiation leverage.
Their targeting of a prominent legal association suggests opportunistic attacks against entities managing confidential client or member data, though available evidence does not establish broader sectoral or geographic preferences. The Texas breach specifically involved theft of full names and legal case documents, indicating intent to exploit personally identifiable information for financial gain. The gang’s operational model aligns with ransomware-affiliated data extortion, where encryption may not be the primary payload but serves as an additional pressure mechanism. No state affiliations or collaborative partnerships with other threat groups have been publicly attributed to this actor.
The group’s tactics center on unauthorized network access followed by data exfiltration and extortion, as evidenced by their leak of stolen legal documents to coerce the State Bar of Texas. While technical specifics of their initial access vectors and malware tooling remain undocumented in public reports, their post-compromise behavior emphasizes public shaming and incremental data leaks to force payment. Victim organizations in confirmed incidents have responded by offering credit monitoring services to affected individuals, reflecting the gang’s success in extracting sensitive personal data. The INC ransomware gang continues to pose a threat to organizations holding high-value information through these consistent extortion practices.
