INC Ransom is a Ransomware-as-a-Service operation active since July 2023. The group gained notoriety for aggressively targeting healthcare, education, and government organizations, frequently leveraging the Citrix Bleed vulnerability (CVE-2023-4966) for initial access. INC Ransom operates a double extortion model with a sophisticated data leak site.
Overview & Attribution
INC Ransom appeared in July 2023 and quickly established itself as a persistent threat to critical sectors. The group's operations are characterized by methodical reconnaissance and data exfiltration before encryption deployment. INC Ransom gained significant attention for its exploitation of the Citrix Bleed vulnerability (CVE-2023-4966), which allowed session hijacking of Citrix NetScaler appliances. The group has shown willingness to target healthcare organizations, including hospitals actively providing patient care.
INC Ransom has been active since July 2023, targeting critical sectors with particular focus on healthcare. The group's exploitation of Citrix Bleed (CVE-2023-4966) enabled mass compromise of organizations using vulnerable Citrix NetScaler ADC and Gateway appliances, leading to dozens of confirmed victims in late 2023 and early 2024.
- Attribution: Cybercriminal (suspected Eastern European)
- Active since: 2023
- Primary targets: healthcare, education, government, technology, manufacturing
- Also known as: INC Ransom, INC, IncRansom
Arsenal & Tools
INC Ransom employs a diverse arsenal of custom and shared tooling:
- INC encryptor: Custom ransomware binary supporting both full and intermittent encryption modes, appending .INC extension
- MegaSync: Cloud synchronization tool abused for large-scale data exfiltration prior to encryption
- Rclone: Open-source cloud storage utility used as alternative exfiltration channel
- AnyDesk: Remote access tool deployed for persistent access during post-exploitation phase
- PsExec / WMI: Lateral movement and remote execution tools for ransomware deployment across network
Targeting & Operations
INC Ransom aggressively targets healthcare, education, government, technology, and manufacturing organizations. The group has shown a particular willingness to target hospitals and healthcare providers, and has been linked to attacks on public school districts and municipal governments.
INC Ransom operations follow a methodical approach: initial access via Citrix Bleed or compromised credentials, followed by extensive reconnaissance using native tools, credential harvesting, and careful data staging using MegaSync or Rclone. The group often spends 5-14 days in a network before deploying the encryptor.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing Application | Exploitation of Citrix Bleed (CVE-2023-4966) for session hijacking |
| Impact | T1486 Data Encrypted for Impact | Custom encryptor with configurable encryption modes |
| Exfiltration | T1048 Exfiltration Over Alternative Protocol | MegaSync and Rclone for data theft to cloud storage |
| C2 | T1071 Application Layer Protocol | HTTPS-based C2 and legitimate remote access tools |
| Credential Access | T1003 OS Credential Dumping | LSASS dumping and credential harvesting |
| Lateral Movement | T1021 Remote Services | PsExec and WMI for encryptor deployment |
Notable Campaigns
INC Ransom has been linked to multiple significant campaigns:
- NHS Scotland (Mar 2024): Attack on NHS Dumfries and Galloway exposed patient data and disrupted healthcare services, drawing UK government condemnation.
- Xerox Business Solutions (Dec 2023): Breach of Xerox subsidiary compromised employee personal information and business data.
- Citrix Bleed campaign (Oct-Dec 2023): Mass exploitation of CVE-2023-4966 across multiple sectors resulted in dozens of victims during a concentrated campaign period.
Detection & Defense
- Citrix patching: Immediately patch CVE-2023-4966 on all Citrix NetScaler ADC and Gateway appliances; rotate all session tokens post-patch
- Data exfiltration detection: Monitor for MegaSync and Rclone usage, large outbound data transfers, and cloud storage communications
- Endpoint detection: Deploy behavioral detection for INC encryptor execution patterns and credential harvesting tools
- Network segmentation: Isolate Citrix infrastructure from sensitive systems and implement zero-trust access controls
- Healthcare-specific controls: Implement healthcare-specific incident response plans with patient safety considerations
Defend Against INC Ransom
Mjolnir Security provides specialized capabilities to detect and respond to INC Ransom operations.
- Threat Hunting Proactive hunting for INC Ransom TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of INC Ransom campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts