INCRansom is a ransomware family observed in enterprise intrusions and victim-leak-site operations. It has been identified in ransomware incidents affecting organizations including healthcare entities, and has been listed alongside other active extortion groups in 2025-era intrusion reporting. Available reporting places it within the modern double-extortion ransomware model, in which attackers exfiltrate data before deploying encryption and then use leak-site pressure to extort victims.
In incidents where INCRansom was observed as part of broader ransomware activity, operators followed patterns common to human-operated enterprise ransomware: compromise of internal systems, staging and exfiltration of data, and subsequent encryption launched after preparatory actions intended to reduce recovery options. Ransomware intrusions in the same observed set consistently targeted backup and virtualization infrastructure before encryption, including hypervisor and backup-management environments, and commonly executed encryption from a centrally compromised server or other high-value administrative system. Deployment across Windows environments was associated with administrative shares and, in some cases, Active Directory-based distribution mechanisms.
Initial access for the broader ransomware cases in which INCRansom appeared was associated with several recurring enterprise intrusion vectors, including exploitation of public-facing applications, use of stolen VPN credentials where MFA was absent, and workstation compromise through social-engineering-driven malware delivery. Post-compromise activity in these environments emphasized credential harvesting, abuse of Active Directory, use of native Windows tooling, and data exfiltration prior to encryption. The family is therefore best understood as part of a financially motivated extortion ecosystem targeting enterprise networks rather than as commodity malware.
INCRansom has been associated with leak-site victim naming and extortion against organizations in sectors including healthcare. Publicly available information in this dataset does not provide enough high-confidence technical detail to distinguish unique cryptographic, persistence, or payload-internal traits specific to the family beyond its role in ransomware and extortion operations.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 distinct techniques documented for this family, organized by ATT&CK tactic.
PsExec and direct access to administrative shares (ADMIN$, C$, etc.) remained present in some engagements... The most common approach involved executing the ransomware binary from a single compromised system — typically a domain controller or infrastructure server — and encrypting data on remote systems through administrative shares (ADMIN$, C$).
Amongst the approximately ten ransomware incidents investigated in 2025, all followed a double extortion model: data exfiltration preceded encryption... The ransomware families observed included Akira, LockBit, Fog, Incransom, and Lynx.
Prior to encryption, attackers systematically targeted backup infrastructure and virtualization platforms to maximize impact and eliminate recovery options: Hypervisors (VMware ESXi, Hyper-V) – Destruction or encryption of virtual machines at the hypervisor level; Backup infrastructure (Veeam) – Access via compromised privileged accounts or exploitation of known Veeam vulnerabilities to delete or encrypt backup repositories.
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware identified as the cause of a healthcare breach affecting Community Connections.
Ransomware family observed in double-extortion incidents where data exfiltration preceded encryption.
Ransomware operation referenced as posting victims to a leak site (implying extortion/data leak component).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.