INC Ransom
activeAlso known as: INC Ransomware
INC Ransom is a ransomware operation that emerged in mid-2023, known for exploiting Citrix NetScaler vulnerabilities (Citrix Bleed) and targeting healthcare organizations. They operate a leak site and use double extortion.
First Seen
2023-07
Last Activity
2025-01
Target Regions
2 regions
Industries
4 sectors
HealthcareEducationGovernmentTechnology
Attack Chain (MITRE ATT&CK)
Visual representation of the attack phases and techniques used by INC Ransom
Click on a phase to view details and MITRE ATT&CK technique IDs
Tactics & Techniques
MITRE ATT&CK mapped tactics and techniques used by this threat actor
Indicators of Compromise (IOCs)
Known IOCs associated with INC Ransom operations
| Type | Value | Description | Last Seen | Actions |
|---|---|---|---|---|
| hash | b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5 | INC Ransom payload | 2025-01-13 | |
| filename | INC-README.txt | Ransom note | — |
IOCs are defanged for safety. Click copy to get the clean value.
Detection Guidance
SIEM and EDR detection recommendations for identifying INC Ransom activity
- 1Monitor Citrix NetScaler for exploitation
- 2Detect MegaSync upload activity
- 3Alert on session hijacking indicators
- 4Monitor for .INC extension files
Mitigation, Containment & Recovery
Step-by-step guidance for responding to and recovering from this ransomware attack
- 1Patch Citrix immediately (Citrix Bleed)
- 2Invalidate all active sessions
- 3Block MegaSync at proxy