Summary
This document is a threat profile report on INC Ransom ransomware, first identified in July 2023. It operates using a Ransomware-as-a-Service (RaaS) model and employs a double extortion method, which involves encrypting victim data and threatening to leak it unless the ransom is paid. The report outlines the operational style, including the most frequently targeted industries, which are primarily in the industrial sector, particularly manufacturing, and the geographical focus on North America. It details the methods of initial access, persistence, and lateral movement used by the ransomware operators, including social engineering and exploitation of valid credentials. The document also discusses the known associations with other ransomware groups, the tools utilized for various functions, and the observed behaviors during attacks. Additionally, it mentions the significant overlap in code with Lynx Ransomware and the increase in activity noted in 2025, highlighting the evolving threat posed by INC Ransom.
