threatintel
actor tracker
All actors

INC Ransom

inc-ransom · primary source: Other · first observed 2023
RU · RussiaRansomwareLow confidencelast cited Nov 27, 2024 · 1.5y ago

Russian-speaking ransomware-as-a-service operation active since mid-2023, notable for sustained targeting of UK NHS trusts and U.S. healthcare providers. Major UK incidents: **NHS Dumfries and Galloway** (March 2024 — 3TB exfiltrated, 150,000 patient records subsequently leaked when ransom was refused), **NHS Alder Hey Children's Hospital + Liverpool Heart and Chest** (November 2024). The brand's source code was reportedly sold by an operator on RAMP forum in May 2024 for $300,000 — Lynx ransomware (active since mid-2024) is the suspected derivative.

Aliases

Lynx (suspected fork)Other

Motivations

financial gain

Target sectors

healthcareeducationgovernmentmanufacturing

Target countries

GBUSDEFR

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • INC Ransom
  • Russia
  • financial gain
Capability
Infrastructure
Victim
  • healthcare
  • education
  • government
  • GB
  • US
  • +1 more

MITRE ATT&CK techniques

T1486T1490T1567.002T1078

Timeline

2 events
  1. CompromiseCritical2024-11-28·The Register

    INC Ransom claims compromise of Alder Hey Children's + Liverpool Heart NHS

    INC Ransom claimed near-simultaneous compromises of two Liverpool-area NHS Foundation Trusts: Alder Hey Children's Hospital (one of the UK's largest paediatric hospitals) and Liverpool Heart and Chest. The operators posted patient documents on their leak site as proof, marking the second sustained INC Ransom campaign against UK NHS trusts in eight months. The Alder Hey targeting — paediatric oncology and cardiology data — drew unusually pointed condemnation from UK government and healthcare-sector commentators.

    healthcareransomwarepaediatricuknhs
  2. CompromiseHigh2024-03-15·The Register

    INC Ransom compromises NHS Dumfries and Galloway, leaks 150K patient records

    INC Ransom claimed a compromise of NHS Dumfries and Galloway, the regional NHS Scotland trust serving south-west Scotland, on 15 March 2024. The trust contained malware spread to a single regional branch but could not prevent exfiltration; the operators claimed 3TB of stolen data. After the trust refused to pay, INC Ransom published patient records — including medical test results for adults and young children, medication information, and full patient names + home addresses — ultimately exposing approximately 150,000 individuals' data on the operators' leak site.

    healthcareransomwareuknhspatient-impact

Indicators of compromise

2 indicators
csv
TypeValueFirst seenSource
Name
INC-README.txt
family · INC Ransomware
Ransom note filename dropped per directory by INC Ransom (also seen as INC-README.html / *.inc-readme.txt). Documented in Huntress and Secureworks (GOLD IONIC) analyses.
Jul 31, 2023Sophos / Secureworks CTU
SHA-256
accd8bc0d0c2675c15c169688b882ded17e78aed0d914793098337afc57c289c
family · INC Ransomware
INC Encryptor binary (PDB string 'C:\source\INC Encryptor\Release\INC Encryptor.pdb') used in the early INC Ransom intrusions investigated by Huntress and mapped to MITRE ATT&CK software entry S1139.
Jul 31, 2023Huntress

Leak-site activity (unverified)

full feed →

Recent victim disclosures posted by this group on its leak site, via ransomware.live. These are unverified attacker claims — ransomware crews routinely fabricate, double-post, or inflate victims. Surface only.

  • 05-18bergen1.netUS
  • 05-17metaval.com.auAU
  • 05-15defenseisready.comUS
  • 05-15lafj.orgUS
  • 05-15United Quality Cooperative / www.uqcoop.comUS

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). INC Ransom — actor profile. Retrieved from https://threatintel.local/actors/inc-ransom

latest cited activity · 2024-11-28 · 2 cataloged indicators