INC Ransom Targets 4 in the US

By Miklos Zoltan . 21 May 2024

Founder - Privacy Affairs

Fact-Checked this

Infamous INC ransom cybercriminal gang announced 4 new victims on US soil. The hackers posted the evidence of the attack on their TOR website, but no further detail was provided. They also have a Leak section, where they post leaked data of those who refused to pay.

INC Ransom is a relatively new gang that’s less than a year old
The organization first emerged in July, 2023 but grew its image and reputation fast
This latest attack follows the same pattern attributed to the gang with swift breach and major data leak
The victims haven’t commented on the recent events yet

INC Ransom has a fairly standard MO. The hackers gain access to the victim’s system, usually via spear-phishing, where they proceed to encrypt the files. They then extract as much valuable data as they can for blackmail purposes.

If the victim doesn’t pay, the attackers will leak the data online. Or sell it to other cybercriminal gangs. Either way, it doesn’t end well for the initial victim. The hackers are known to target medium and high-value targets, hitting them with meaty ransoms.

X showing the INC RANSOM attack on the 4 victims — https://x.com/FalconFeedsio/status/1792586084192239929

This means paying the ransom is the only way to prevent that from happening, right? Wrong. As cybersecurity experts have pointed out, paying the ransom doesn’t guarantee anything aside from the decryption key.

Because, if the hackers wouldn’t even let that go, nobody would pay any ransom ever. They need to show some goodwill. As to the stolen data itself, there are no guarantees. Specialists state that most ransomware attackers usually leak the data anyway.

Even if the ransom is paid. That’s because the victim can’t really verify that they didn’t. And because it’s pretty difficult to imaging that money-driven cybercriminals would let such valuable data go. Even after the victim has paid the ransom.

What’s Going On with INC Ransom?

If you’ve been paying attention to the news lately, INC Ransom appears to be undergoing an interesting change. Namely, someone is selling the source code. The individual in question is marked as “salfetka,” an anonymous agent.

The actor has advertised the sale on the Exploit and XSS hacking forums, asking for $300,000. They have also restricted the number of potential buyers to 3. Interestingly, INC Ransom’s website doesn’t mention anything about them selling their code.

This means that salfetka may be an outside actor that somehow gained access to the gang’s source code. Or could be the organization itself advertising their assets incognito.

To top things off, INC Ransom has a new extortion website that now lists 64 victims. As some have suggested, this may be an attempt at rebranding their profile. Or may even hint at a separation within the group.

And to add another peculiarity to the mix, the design of the new website is reminiscent of that of Hunters International. This is another high-profile extortion gang that operates within the ransomware sphere.

The rabbit hole goes deep, and there isn’t sufficient information at this moment to conclude one way or the other. It’s worth keeping an eye on the situation moving forward.

Our Mission

We believe security online security matters and its our mission to make it a safer place.

Founder & CEO Privacy Affairs

Miklos Zoltan is the founder and CEO of Privacy Affairs. Miklos has long-time experience in cybersecurity and data privacy having worked with international teams for more than 10 years in projects involving penetration testing, network security and cryptography.

Miklos founded Privacy Affairs in 2018 to provide cybersecurity and data privacy education to regular audiences by translating tech-heavy and "geeky" topics into easy-to-understand guides and tutorials.

Cookie	Duration	Description
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	1 year	The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.

INC Ransom Targets 4 in the US

What’s Going On with INC Ransom?

Our Mission

Miklos Zoltan

Leave a Comment Cancel