3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
INC Ransom

INC Ransom

ID: 105be5814163512c8c0adb8992b4774127462
Darkweb Market/Service RaaS Program
Threat types: Ransomware, Data Leak, Data Extortion, Exploit, Phishing
Unknown USA
Updated: 2026-01-26
Created: 2025-10-22
Progress: 63% Completeness: 60% Freshness: 70%
Operation zone: United States
Aliases Limited alias preview
GOLD IONIC INC Ransomware IN************ IN*******
IN***********
Showing 2 of 5 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

INC Ransom (G1032) — a ransomware/data-extortion group active since July 2023, most frequently impacting industrial, healthcare, and education sectors in the US/EU. Common playbook: phishing or Citrix NetScaler CVE-2023-3519 for entry, RDP with valid accounts, PsExec/WMIC/SC for propagation, stage and exfiltrate data (often to MEGA), impair defenses, then deploy the INC encryptor.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2023-11 — INC leveraged Citrix NetScaler/Gateway CVE-2023-3519 for initial access during campaigns. · ref
  • 2024-10-28 — MITRE maps INC Ransom to Exploit Public-Facing Application (citations include CVE-2023-3519). · ref
T1566 Phishing TA0001
  • 2024-10-28 — MITRE: phishing observed as an initial vector for INC. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2024-10-28 — Use of valid accounts to access victim environments. · ref
T1021.001 Remote Desktop Protocol TA0008
  • 2024-10-28 — RDP leveraged for lateral movement and access. · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-10-28 — Ingress Tool Transfer: download/use of tools such as Advanced IP Scanner. · ref
T1570 Lateral Tool Transfer TA0008
  • 2024-10-28 — Rapid copy/deploy of encryptor across endpoints. · ref
T1059.003 Windows Command Shell TA0002
  • 2024-10-28 — Use of cmd.exe for launching payloads and orchestration. · ref
T1074 Data Staged TA0009
  • 2024-10-28 — Data staged on compromised hosts prior to exfiltration. · ref
  • 2024-10-28 — Technique example page references INC Ransom’s staging behavior. · ref
T1537 Transfer Data to Cloud Account TA0010
  • 2024-04-15 — Secureworks: data exfiltration to cloud account (e.g., MEGA/MEGASync). · ref
T1562.001 Disable or Modify Tools TA0005
  • 2024-05-01 — Huntress: disabling Windows Defender via SystemSettingsAdminFlows.exe. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • 2023-08-11 — Huntress: renaming PsExec to 'winupd' to masquerade as a Windows update. · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-10-28 — Data encrypted for impact via INC Ransomware encryptor. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-23T02:55:25+00:00
INC Ransom — Double-Extortion Intrusion Set

CLASSIFICATION: Unclassified / Open Source


Executive Summary

INC Ransom (a.k.a. GOLD IONIC) is a ransomware/data-extortion group active since July 2023, operating globally with a concentration of victims in industrial, healthcare, and education sectors in the US and Europe. The actor blends opportunistic initial access (e.g., spearphishing and Citrix NetScaler CVE-2023-3519), rapid hands-on-keyboard actions, staging and cloud exfiltration (MEGA), and lateral tool transfer to mass-deploy the INC Ransomware encryptor. Tradecraft commonly includes RDP with valid accounts, PsExec/WMIC/Service Control Manager for propagation, defense impairment (tampering with Windows Defender), and operational OPSEC (cleanup/file deletion). Overall capability: medium-high; tempo and playbook indicate experienced affiliates. Confidence: high for TTPs/targeting; medium on affiliate composition.


Criminal, profit-motivated double extortion (theft + encryption). MITRE lists associated name GOLD IONIC; public reporting depicts a classic RaaS/affiliate feel, with varied TTPs around a stable core of tools. INFERENCE (affiliate model, confidence: medium).

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.