Aliases
- GOLD IONIC — Secureworks / Counter Threat Unit tracking name
- G1032 — MITRE ATT&CK group identifier
Profiling
Threat Actor Type: Ransomware-as-a-Service (RaaS) operation with double extortion. Whether INC Ransom operates as a fully open affiliate program or a more closed, vetted-partner model remains a subject of active debate among researchers — Secureworks assesses it as a structured RaaS, while others have characterized it as potentially operating with a smaller, tightly controlled affiliate base.
Structure: Core operators maintain the ransomware platform, encryptors, leak site infrastructure, and victim negotiation portal. Affiliates (or tightly vetted partners) conduct intrusions and deploy the payload, splitting ransom proceeds with the core team. The group recruits through underground forums and has established documented partnerships with other threat actors who provide initial access as a service.
Known Affiliate Relationships:
- Vanilla Tempest (aka DEV-0832, formerly Vice Society) — A Russian-speaking, financially motivated threat actor tracked by Microsoft that adopted INC Ransom as its primary payload in August 2024 after previously deploying BlackCat, Quantum Locker, Zeppelin, and Rhysida. Vanilla Tempest focuses heavily on U.S. healthcare organizations.
- Storm-0494 — Provides initial network access to Vanilla Tempest through GootLoader malware infections, functioning as an initial access broker (IAB) feeding directly into INC Ransom deployments.
Expertise: INC Ransom demonstrates mature, operationally disciplined tradecraft consistent with human-operated ransomware. The group uses a mix of custom tooling and living-off-the-land (LOTL) techniques, favoring native Windows utilities to blend into legitimate administrative activity. Cross-platform coverage is a defining capability: the group maintains separate encryptors for Windows, Linux servers, and VMware ESXi environments, with the Linux/ESXi variant first observed in December 2023.
- The encryptors use AES-256 in CBC mode for file encryption. The group deliberately terminates productivity processes (Microsoft Office, Outlook) prior to encryption to maximize the number of files it can lock. INC ransomware also sends ransom notes to any networked printers on the victim’s environment — a pressure tactic designed to maximize operational disruption and internal awareness of the incident.

Figure 1: INC Ransom ransom note.
Motivations
Financial gain through ransomware encryption and double extortion data theft.
Timeline
July 2023 — Emergence
INC Ransom surfaces targeting manufacturing, retail, IT, and the public sector. The group establishes a Tor-based leak site and Tox-based negotiation infrastructure. Secureworks designates the group GOLD IONIC.
December 2023 — Linux/ESXi Variant Released
A Linux encryptor is released, extending coverage to Linux servers and VMware ESXi environments. Trend Micro records 124 attack attempts in December alone — the group’s most active single month in year one.
Early 2024 — Xerox Business Solutions
INC compromises Xerox Business Solutions (XBS), U.S. subsidiary of Xerox Corp, marking one of its highest-profile corporate victims to date.
March 2024 — NHS Scotland
INC claims a breach of NHS Dumfries & Galloway, threatening to release 3TB of patient data. The incident draws widespread public attention.
March–May 2024 — Source Code Sale
A threat actor using the handle “salfetka” lists INC Ransom’s Windows and Linux/ESXi encryptor source code for $300,000 on the Exploit and XSS forums — widely assessed as the event that enabled the emergence of Lynx ransomware.
August 2024 — McLaren Health Care
INC compromises McLaren Health Care (13 Michigan hospitals, $6.5B revenue). EHR systems go offline, ambulances are temporarily diverted, and 743,000 individuals are ultimately notified of exposed personal, medical, and insurance data.
August 2024 — Vanilla Tempest Adopts INC as Primary Payload
Microsoft Threat Intelligence confirms that Vanilla Tempest (formerly Vice Society) has adopted INC Ransom as its primary payload, deploying it against U.S. healthcare organizations via GootLoader infections brokered by Storm-0494.
August 2025 — Pennsylvania Office of the Attorney General
INC claims 5.7TB exfiltrated from the OAG; the office declines to pay. Researchers note exposed Citrix NetScaler appliances on the OAG network potentially vulnerable to CVE-2025-5777 (Citrix Bleed 2) in the period preceding the breach.
Ongoing and Active (as of July 2026)
INC Ransom remains highly active in 2026, with more than 800 claimed victims since 2023 and 47 known attacks recorded in January alone. Key updates include:
- Claimed 20 law firms and legal-services organizations in 2026, including 10 within a 48-hour window.
- Remained active through late June, with new leak-site listings still appearing in July.
- Rewrote both Windows and Linux/ESXi encryptors in Rust, strengthening cross-platform development and complicating reverse engineering.
- Updated credential-theft tooling to target modern Veeam backup deployments using salted DPAPI credential encryption.

Figure 2: Victim heat map.
Tactics & Techniques
Initial Access
- T1190 – Exploit Public-Facing Application
- T1566 – Phishing
- T1078 – Valid Accounts
Execution & Lateral Movement
- T1047 – Windows Management Instrumentation (WMI)
- 003 – Windows Command Shell
- 002 – Service Execution
Persistence
- 005 – Scheduled Task
- T1219 – Remote Access Software
- 001 – Remote Desktop Protocol
Credential Access
- 001 – LSASS Credential Dumping
- 003 – NTDS Credential Access
- 003 – Kerberoasting
Discovery
- T1018 – Remote System Discovery
- T1046 – Network Service Discovery
- T1482 – Domain Trust Discovery
- T1135 – Network Share Discovery
Lateral Movement
- 001 – Remote Desktop Protocol
- T1570 – Lateral Tool Transfer
Defense Evasion
- 001 – Impair Defenses
- 005 – Masquerading
- 001 – Clear Windows Event Logs
- 004 – File Deletion
Command & Control
- T1219 – Remote Access Software
Exfiltration
- 001 – Archive Collected Data
- T1074 – Data Staged
- T1567 – Exfiltration Over Web Service
- 002 – Exfiltration to Cloud Storage
Impact
- T1486 – Data Encrypted for Impact
- T1490 – Inhibit System Recovery
- T1657 – Financial Theft / Extortion
Defensive Recommendations Against INC Ransom
Patch internet-facing appliances immediately. INC Ransom’s most reliable initial access is exploitation of known CVEs — Citrix NetScaler (CVE-2023-3519, CVE-2025-5777) and Fortinet FortiOS (CVE-2024-55591) are confirmed vectors. Audit all internet-facing appliances and verify patch status. Never expose firewall management interfaces to the internet.
Enforce MFA on all remote access. RDP, VPN, and any internet-facing authentication surface must require MFA. Restrict RDP to internal networks only and disable it where not needed. Monitor for new local administrator account creation — the FortiGate exploit path creates a malicious super_admin as an early foothold indicator.
Harden credential storage and detect dumping. Deploy Credential Guard to mitigate LSASS dumping. Alert on ntdsutil execution with “create full” arguments (NTDS.dit extraction). Detect Kerberoasting via anomalous Kerberos TGS volume from a single account. Enforce long randomized passwords on all service accounts.
Protect backup infrastructure. INC Ransom specifically targets Veeam credentials (HackTool.PS1.VeeamCreds). Maintain at least one offline or air-gapped backup copy. Isolate backup admin accounts. Test restoration regularly — the group counts on backups failing under pressure.
References
BleepingComputer. INC Ransom Threatens to Leak 3TB of NHS Scotland Stolen Data. https://www.bleepingcomputer.com/news/security/inc-ransom-threatens-to-leak-3tb-of-nhs-scotland-stolen-data/
BleepingComputer. McLaren Hospitals Disruption Linked to INC Ransomware Attack. https://www.bleepingcomputer.com/news/security/mclaren-hospitals-disruption-linked-to-inc-ransomware-attack/
BleepingComputer. Microsoft: Vanilla Tempest Hackers Hit Healthcare with INC Ransomware. https://www.bleepingcomputer.com/news/microsoft/microsoft-vanilla-tempest-hit-healthcare-with-inc-ransomware/
BleepingComputer. Pennsylvania AG Confirms Data Breach After INC Ransom Attack. https://www.bleepingcomputer.com/news/security/pennsylvania-ag-confirms-data-breach-after-inc-ransom-attack/
Huntress. Investigating New INC Ransom Group Activity. https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity
HvS-Consulting. INC Ransom: Ransomware Attacks & FortiGate Exploit. https://www.hvs-consulting.de/en/blog/inc-ransom-ransomware
MITRE ATT&CK. INC Ransom, GOLD IONIC, Group G1032. https://attack.mitre.org/groups/G1032/
Morado. Preventable Paths: How INC Ransomware Continues to Thrive. https://www.morado.io/blog-posts/preventable-paths-how-inc-ransomware-continues-to-thrive
Palo Alto Networks Unit 42. Lynx Ransomware: A Rebranding of INC Ransomware. https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/
Proven Data. INC Ransomware: Tactics, Evolution, and Incident Response Guide. https://www.provendata.com/blog/inc-ransomware
Secureworks. GOLD IONIC Deploys INC Ransomware. https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware
SecurityWeek. Microsoft: US Healthcare Sector Targeted by INC Ransomware Affiliate. https://www.securityweek.com/microsoft-us-healthcare-sector-targeted-by-inc-ransomware-affiliate/