Threat-actor profile

← Back to main site

Home/ Threat Actors/ INC Ransom

🌐INC Ransom

🌐 INC Ransom is a tracked threat actor in the Clankerusecase corpus. Attributed to ??. Primary motivation: Criminal. We map 22 detection use cases to this actor across 35 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2026-05-18 to 2026-05-18.

crit 1

View full actor card → All threat actors MITRE ATT&CK group spec (G1032) ↗

22Use cases

1Articles

35Techniques

0IOCs

Known aliases

INC ransomwareINC RansomINC GroupGOLD IONIC

Top techniques

T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain T1204.002 · Malicious File

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1005 · Data from Local System T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1036.005 · Match Legitimate Resource Name or Location T1046 · Network Service Discovery T1047 · Windows Management Instrumentation T1049 · System Network Connections Discovery T1059.003 · Windows Command Shell T1069.002 · Domain Groups T1070.004 · File Deletion T1071 · Application Layer Protocol T1071.001 · Web Protocols T1074 · Data Staged T1078 · Valid Accounts T1087.002 · Domain Account T1105 · Ingress Tool Transfer T1133 · External Remote Services T1135 · Network Share Discovery T1219 · Remote Access Tools T1486 · Data Encrypted for Impact T1537 · Transfer Data to Cloud Account T1539 · Steal Web Session Cookie T1555.003 · Credentials from Web Browsers T1560.001 · Archive via Utility T1566 · Phishing T1569.002 · Service Execution T1570 · Lateral Tool Transfer T1588.002 · Tool T1657 · Financial Theft T1685 · Disable or Modify Tools

Detection use cases (22)

INC Ransom data staging + MEGAsync/rclone cloud exfiltration chain AI · profile SDD INC Ransom hands-on-keyboard credential access: comsvcs.dll LSASS mini-dump + AdFind/netscan recon chain AI · profile SΣDD Cisco Secure FMC anomalous outbound HTTP PUT (Interlock CVE-2026-20131 callback) Bespoke Crypto-wallet file/keystore access by non-wallet process Internal Infostealer — non-browser process accessing browser cookie/login DBs Internal Asset exposure — vulnerability matches article CVE(s) Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal Trusted vendor binary / installer launching unusual children Internal 1Password impossible-travel sign-in MITRE match 1Password vault export attempted MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Web App Interpreter (Node/Python/Java/PHP) Spawns Shell or Net-Download LOLBin on Internet-Facing Host MITRE match Atlassian administrator impersonating user MITRE match

Threat-intel articles (1)

crit IT threat evolution in Q1 2026. Mobile statistics · 2026-05-18

Tracked indicators

CVEs (1)

CVE-2026-20131