>samit_hota
Back to adversary profiles
G1032HighActive

INC Ransom (G1032) Threat Actor Profile: Operations, Tactics, and Evolution

Samit Hota·
Suspected Origin
Eastern Europe (Suspected)
Motivation
Financial Gain
Aliases
GOLD IONIC
Target Sectors
Healthcare, Education, Manufacturing, Business Services, Government, Technology, Legal Services, Construction, Retail, Finance, Professional Services
Associated Malware
INC Ransomware, Lynx Ransomware, 7-Zip, MegaSync, Advanced IP Scanner, PsExec, AnyDesk, Rclone, Impacket, Mimikatz, Cobalt Strike
#threat-actor#g1032

Overview

INC Ransom, tracked by MITRE as G1032 and also known by the alias GOLD IONIC, is a formidable ransomware-as-a-service (RaaS) operation that surfaced in mid-2023. This financially motivated group swiftly established itself as a significant global threat, operating through an affiliate model where core developers provide the ransomware and infrastructure, while various actors conduct intrusions and share the proceeds.

The group is notorious for its double extortion tactics, which involve not only encrypting victim data but also exfiltrating sensitive information and threatening to publish it on their dark web leak sites if ransom demands are not met. While definitive attribution remains uncertain, communications and tactics are consistent with Eastern European ransomware operations, and some cybersecurity researchers believe Russian criminals are behind the group.

INC Ransom maintains a broad global reach, predominantly targeting organizations in the United States and Europe, but with reported activity extending to Canada, Australia, New Zealand, and the Pacific island states. They show a preference for sectors where disruption creates immediate pressure to restore operations due to sensitive data holdings or critical services. These include healthcare, education, manufacturing, business services, government, technology, legal services, construction, retail, finance, and professional services. A distinguishing characteristic of INC Ransom is its cross-platform capability, with ransomware variants targeting Windows systems, Linux servers, and VMware ESXi virtualization environments.

Tactics & Techniques

INC Ransom affiliates employ a methodical, multi-stage attack strategy, demonstrating adaptability and a focus on proven intrusion methods.

Their initial access vectors are varied and include:

  • Phishing campaigns: Often spear-phishing emails delivering malicious attachments or credential-harvesting links.
  • Exploitation of public-facing application vulnerabilities: Notably, they have leveraged critical flaws such as CVE-2023-3519 in Citrix NetScaler gateways and CVE-2023-48788 in Fortinet FortiClient EMS, as well as CVE-2024-57727 in SimpleHelp.
  • Compromised credentials: Frequently obtained from Initial Access Brokers (IABs) or through RDP/VPN exploitation.

Once initial access is established, the group focuses on gaining a foothold, conducting reconnaissance, and escalating privileges. They heavily utilize living-off-the-land (LOLBins) techniques and legitimate administrative tools to avoid detection. Commands like net user /domain and net group /domain are used to enumerate Active Directory accounts and groups. Network scanning tools such as NetScan.exe and Advanced IP Scanner identify additional systems and critical assets, including domain controllers, file servers, and backup infrastructure.

Credential harvesting is a central component of their operations, using tools like Mimikatz, Lsassy.py, and WinPEAS to dump credentials from memory or export the Security Account Manager (SAM) database. They also compromise legitimate service accounts with broad access and elevated privileges. Lateral movement is achieved using tools like RDP, PsExec (often disguised as “winupd”), AnyDesk, and Impacket for pass-the-hash attacks.

Before encryption, INC Ransom prioritizes data exfiltration. Sensitive data, including customer records, financial information, and intellectual property, is typically compressed using utilities like 7-Zip or WinRAR and then transferred to cloud storage services such as Mega.nz, often via MegaSync or Rclone. They may split large files into smaller chunks to evade detection during transfer.

For defense evasion, INC Ransom terminates security software, backup agents, and database services. They delete Volume Shadow Copies to hinder recovery efforts and have been observed disabling Windows Defender using SystemSettingsAdminFlows.exe.

Finally, the ransomware payload is deployed. The INC ransomware encrypts files on local drives, network shares, and virtual machine storage. To maximize speed, it often employs partial encryption, encrypting only portions of each file. It utilizes AES-128 in CTR mode for file contents and Curve25519 elliptic-curve cryptography for key protection. Ransom notes, typically in .txt and .html formats, are aggressively delivered to each encrypted directory, and have even been printed to connected printers or used to change desktop wallpapers.

Notable Campaigns

Since its emergence in July 2023, INC Ransom has rapidly escalated its operations. By mid-2026, the group had publicly claimed over 830 victims, with 855 victims listed as of July 10, 2026, including 31 in the preceding 30 days. This places them among the most active ransomware operations. In Q1 2026, INC Ransom was ranked as the fourth most prominent ransomware group globally, accounting for over 120 incidents during that period. Their activity notably increased in 2025, with over 300 victims compared to 162 in 2024. In July 2025, INC was even identified as the most deployed ransomware based on victims posted to leak sites.

Notable incidents attributed to INC Ransom include attacks on critical healthcare infrastructure, such as Alder Hey Children’s Hospital in the UK, NHS Scotland, and NHS Dumfries & Galloway. In June 2025, the Tongan Ministry of Health (MoH) ICT environment was severely impacted by an INC Ransom attack, disrupting the national healthcare network. Other reported victims include Xerox Business Solutions and Leicester City Council. Interestingly, some incidents have been observed where INC Ransom focused solely on data exfiltration and extortion without deploying encryption, showcasing their flexible approach to maximizing leverage.

Associated Malware & Tools

The primary malware deployed by this group is INC Ransomware, a sophisticated ransomware variant that has seen continuous development. The original Windows and Linux/ESXi encryptors have been rewritten in Rust, improving cross-platform compatibility and resistance to reverse engineering.

The RaaS model has led to the proliferation of related variants. In mid-2024, INC’s source code was reportedly sold on underground forums for $300,000, which subsequently led to the emergence of Lynx Ransomware. Lynx shares significant code overlap and behavioral similarities with INC, often being considered a successor or rebranding. Another related ransomware family, Sinobi, has also been linked to the sale of INC’s source code.

Beyond their proprietary ransomware, INC Ransom affiliates leverage a diverse array of legitimate and openly available tools, highlighting a “living-off-the-land” philosophy:

  • Archiving Utilities: 7-Zip and WinRAR are commonly used to compress stolen data prior to exfiltration.
  • Remote Access & Movement: AnyDesk, PsExec (often renamed to “winupd”), PuTTY, and Remote Desktop Protocol (RDP) facilitate lateral movement and remote control.
  • Reconnaissance: Advanced IP Scanner, NETSCAN.EXE (NetScan), AdFind, and Nltest are deployed for network discovery and enumeration.
  • Credential Access: Tools like Mimikatz, Lsassy.py, WinPEAS, and esentutl are employed to harvest credentials.
  • Data Exfiltration: MegaSync (for Mega.nz) and Rclone are primary tools for transferring stolen data to cloud storage.
  • Execution & Utilities: Windows utilities such as cmd.exe, wmic.exe, and PowerShell are used for command execution. SystemSettingsAdminFlows.exe has been observed for disabling Windows Defender, and split.exe for dividing large files.
  • Post-exploitation & C2: Commercial red-team tools like Cobalt Strike and Meterpreter have been utilized for establishing command and control.
  • Network Exploration/Pass-the-Hash: Impacket modules like wmiexec.py are used for lateral movement and exploiting Windows services.
  • Anonymity: The Tor network is used for hosting their data leak sites and negotiation portals.

Current Status

INC Ransom remains an exceptionally active and evolving threat actor in the ransomware landscape as of July 2026. The group continues to adapt its tactics, techniques, and procedures (TTPs), maintaining a high operational tempo through its affiliate network.

Recent intelligence, updated to July 10, 2026, indicates that INC Ransom has publicly claimed 855 victims, with 31 new victims listed in just the last 30 days. This consistent activity underscores its significant presence, having been ranked as the fourth most prominent ransomware group globally in Q1 2026.

While the sale of its source code in May 2024 led to the emergence of related ransomware families like Lynx and Sinobi, the core INC Ransom operation has continued to thrive. They continue to exploit unpatched edge devices for initial access, dump credentials from backup servers (including Veeam), and skillfully employ a mix of living-off-the-land binaries (LOLBins) and commercial Remote Monitoring and Management (RMM) tools for internal network operations. The group’s sustained growth is attributed to aggressive victim selection, rapid affiliate scaling, and a steadfast focus on effective, proven intrusion methods rather than purely technical innovation. Given their consistent activity and ongoing targeting of critical sectors, INC Ransom is expected to remain a top-tier threat for the foreseeable future.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call