Threat Groups

Incransom Ransomware Group

1. Overview

Incransom is a newly identified ransomware group, first observed in early 2024, that has rapidly gained attention for its aggressive, fast-impact attacks on small and mid-sized organisations. The group employs a double extortion strategy, combining rapid encryption of critical systems with the theft of sensitive data to increase leverage during ransom negotiations.

Incransom operates with a clear focus on speed and disruption, often completing data exfiltration and network encryption within hours of gaining access. Unlike larger ransomware collectives that may dwell in environments for days or weeks, Incransom prioritises quick monetisation and is believed to be part of the growing trend of “ransomware lite” operators—targeting underprepared businesses with swift, high-pressure tactics.

2. Origin and Evolution

Incransom was first spotted in March 2024, during an incident affecting a regional logistics company in Central Europe. The attack used a stripped-down yet highly efficient ransomware payload, capable of spreading laterally via Windows network shares and locking out administrators before alerts could be raised.

Over the following months, multiple similar attacks were linked to Incransom across the UK, Germany, and Southeast Asia. While its tooling appears less sophisticated than major players like LockBit or Medusa, the group demonstrates a keen understanding of network misconfigurations, credential harvesting, and Windows scripting abuse, allowing them to move quickly and encrypt systems before defences can activate.

3. Tactics, Techniques, and Procedures (TTPs)

Incransom attacks are characterised by speed, simplicity, and opportunism, leveraging common exploits and administrator lapses to gain foothold and impact:

  • Initial Access:
    Exploitation of remote access services (T1133), phishing emails with compressed malware payloads (T1566.001), and abuse of leaked or weak RDP/VPN credentials (T1078).
  • Lateral Movement:
    Use of net use, PsExec, and batch scripts for spreading the payload (T1021). Often no advanced tools are used, making detection reliant on behavioural analysis.
  • Data Exfiltration:
    Small sets of sensitive documents are exfiltrated using WinSCP or web-based file transfer tools. The group favours speed over bulk data theft (T1041).
  • Encryption:
    Files are encrypted with AES-256, typically with a .incr extension. The ransomware disables shadow copies and often renames administrative accounts to break access (T1490).
  • Persistence & Evasion:
    Minimal persistence is maintained—Incransom prefers smash-and-grab operations. Anti-forensic actions include clearing event logs and using LOLBins to avoid endpoint detection (T1036, T1112).

4. Targeting Profile

Incransom focuses primarily on:

  • Small and medium-sized enterprises (SMEs)
  • Logistics, retail, and regional manufacturing
  • Professional services firms (especially legal and accounting)
  • Private education and training providers

UK-based SMEs—especially those without dedicated security staff or EDR platforms—are particularly vulnerable. The group selects targets based on exposed services and incomplete patching, not industry prestige.

5. Notable Campaigns and Victims

Incransom has not built a public leak site, but various confirmed and attributed attacks include:

  • A UK-based accounting firm, where payroll records and tax filings were encrypted and partially leaked via anonymous file hosts.
  • A Central European courier company, where shipment tracking and billing systems were brought offline within minutes of initial compromise.
  • A Southeast Asian vocational training school, which reported exfiltration of student records and administrative documents.

The group typically demands modest ransoms between £10,000 and £100,000, often payable within 48 hours, and escalates with repeated emails and threats to leak data if ignored.

6. Ransomware and Leak Site Behaviour

Incransom does not currently operate a dedicated leak portal, preferring to pressure victims via:

  1. Direct contact through email or TOR-based chat portals
  2. Threatening to upload stolen data to public pastebins or anonymous file shares
  3. Repeated email warnings, sometimes involving spoofed messages “from journalists” to heighten reputational pressure

This decentralised extortion method reflects the group’s intent to monetise rapidly, without the overhead of maintaining permanent infrastructure.

7. Technical Indicators

Common indicators linked to Incransom activity include:

  • File extension: .incr
  • Ransom notes named READ_THIS_INCR.txt or RESTORE_FILES_NOW.txt
  • Use of net use, taskkill, and vssadmin in batch files
  • Deployment from temporary folders like %TEMP% or %APPDATA%
  • Outbound HTTP/HTTPS requests to cloud file sharing platforms (e.g. transfer.sh, anonfiles.com)

YARA signatures and custom detection rules are available through UK Cyber Defence Ltd.

8. Defensive Measures and Recommendations

To defend against Incransom-style attacks:

  • Restrict and monitor RDP, VPN, and SMB exposure
  • Deploy multi-factor authentication (MFA) across all remote and privileged accounts
  • Monitor for sudden use of administrative tools like net.exe, cmd.exe, and PsExec
  • Conduct regular vulnerability scans, particularly targeting externally facing assets
  • Implement application whitelisting and restrict PowerShell and scripting usage
  • Maintain offline, immutable backups, with tested recovery workflows

9. Attribution and Alliances

Incransom has not been linked to any established ransomware cartel or nation-state activity. The group appears to be financially motivated, tactically opportunistic, and self-contained. While its malware lacks polish, its operators show tactical awareness and a strong preference for speed and disruption over stealth or complexity.

Its infrastructure and communication methods suggest a small operator or crew, likely based in Eastern Europe, though attribution remains speculative.

10. Conclusion

Incransom is a textbook example of the emerging wave of fast-turnover, mid-tier ransomware operators. By focusing on speed, simplicity, and volume rather than technical elegance, the group poses a real and growing threat—particularly to UK SMEs, regional service providers, and under-defended infrastructure.

Organisations should not underestimate Incransom’s ability to cause operational harm quickly. Basic hygiene, early detection, and rehearsed recovery plans are key to reducing impact.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 25 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence