Credential Theft
- Mimikatz
INCRansom is a ransomware family observed in enterprise intrusions and victim-leak-site operations.
Profile source: Mallory opens in a new tabIncransom
INCRansom is a ransomware family observed in enterprise intrusions and victim-leak-site operations. It has been identified in ransomware incidents affecting organizations including healthcare entities, and has been listed alongside other active extortion groups in 2025-era intrusion reporting. Available reporting places it within the modern double-extortion ransomware model, in which attackers exfiltrate data before deploying encryption and then use leak-site pressure to extort victims.
In incidents where INCRansom was observed as part of broader ransomware activity, operators followed patterns common to human-operated enterprise ransomware: compromise of internal systems, staging and exfiltration of data, and subsequent encryption launched after preparatory actions intended to reduce recovery options. Ransomware intrusions in the same observed set consistently targeted backup and virtualization infrastructure before encryption, including hypervisor and backup-management environments, and commonly executed encryption from a centrally compromised server or other high-value administrative system. Deployment across Windows environments was associated with administrative shares and, in some cases, Active Directory-based distribution mechanisms.
Initial access for the broader ransomware cases in which INCRansom appeared was associated with several recurring enterprise intrusion vectors, including exploitation of public-facing applications, use of stolen VPN credentials where MFA was absent, and workstation compromise through social-engineering-driven malware delivery. Post-compromise activity in these environments emphasized credential harvesting, abuse of Active Directory, use of native Windows tooling, and data exfiltration prior to encryption. The family is therefore best understood as part of a financially motivated extortion ecosystem targeting enterprise networks rather than as commodity malware.
INCRansom has been associated with leak-site victim naming and extortion against organizations in sectors including healthcare. Publicly available information in this dataset does not provide enough high-confidence technical detail to distinguish unique cryptographic, persistence, or payload-internal traits specific to the family beyond its role in ransomware and extortion operations.
Ransomware.live
Ransomware.live
MITRE ATT&CK
Reporting
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.