Cyber Incident Victim: Ministry of Health
Date:
Jun 2025
Location:
Tonga
Summary
The INC ransomware group has targeted healthcare organizations across Oceania, gaining access through compromised credentials, spear‑phishing and exploited vulnerabilities, then moving laterally, escalating privileges and deploying ransomware while exfiltrating personal and health data. In Tonga the group attacked the Ministry of Health, disrupting its information and communications networks and shutting down core national services; authorities later linked the intrusion to the hacker known as Roman Khubov ('blackod').
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
INC ransomware activity began with a focus on the United States and the United Kingdom before shifting toward Australian targets in the summer of 2024, when the group started compromising companies in the professional services and healthcare sectors. Over the course of 2025 the campaign expanded, with INC affecting additional organizations in New Zealand and Tonga, and the Australian Cyber Security Centre responding to eleven INC ransomware incidents in Australia between July 2024 and December 2025, most of which involved healthcare or professional services entities. In these attacks the intruders typically gained an initial foothold by purchasing compromised credentials from initial access brokers, although they also employed spear‑phishing and exploited known vulnerabilities in internet‑facing devices. After establishing access, the attackers moved laterally within victim networks, escalated privileges to administrator level, deployed ransomware lockers and ransom notes, and in many cases exfiltrated personally identifying information and protected health information using legitimate software tools to compress and extract data.

On June 15 2025 INC directed its efforts against the Kingdom of Tonga’s Ministry of Health, bypassing individual health facilities and targeting the national ministry directly. The assault disrupted the Ministry of Health’s information and communications networks, effectively shutting down core national health services. During the intrusion the attackers exfiltrated data from the compromised systems, though the article does not specify the exact volume or type of data taken. Following the incident authorities identified a specific individual linked to the Tonga attack, Roman Khubov, who operates online under the alias “blackod,” and they released a photograph of his face as part of their public disclosure. A joint advisory was issued on March 6 2026 by the Australian Cyber Security Centre, Tonga’s National Computer Emergency Response Team, and New Zealand’s National Cyber Security Centre, which outlined INC’s targeting of critical networks with a particular emphasis on the healthcare sector across Oceania. The advisory noted that INC operates under a ransomware‑as‑a‑service model, allowing its tactics, techniques and procedures to vary depending on the affiliate conducting each attack.
