What are the common entry points used by INC Ransom?

The group typically enters networks through two primary pathways: exploiting unpatched, public-facing gateway devices (such as VPN concentrators, remote support systems, and network controllers) or abusing compromised administrative credentials acquired through initial access brokers and targeted spear-phishing campaigns.

INC Ransom Targets Horizon Eye Care in Double Extortion | Femto Security Threat Intelligence

Key Takeaways

INC Ransom (GOLD IONIC) targeted US-based healthcare provider Horizon Eye Care, claiming to have exfiltrated sensitive organizational data.
The threat group utilizes a highly structured attack chain that exploits exposed gateway devices and leverages stolen credentials.
INC Ransom destroys recovery capabilities by specifically targeting Veeam backup database credentials prior to initiating file encryption.
The group employs a modern, multi-threaded Rust encryptor that appends the ".inc" extension and prints ransom notes physically via network printers.

Threat Actor Profile: INC Ransom

INC Ransom

aka GOLD IONIC, Tarnished Scorpion, incransom

Origin: Unknown
Motivation: Financial (Double Extortion)
Targets: HealthcareMedical clinicsDowntime-sensitive public sectors
TTPs: Multi-threaded Rust encryptorsVeeam backup catalog tamperingCloud exfiltration via Rclone to MEGA

Multi-Stage INC Ransom Intrusion Path

11. Initial Accesshigh
Exploit public-facing edge devices or purchase stolen RDP/VPN credentials.
high
22. Foothold & Reconmedium
Install unapproved RMM tools (AnyDesk, Atera, ScreenConnect) and map networks.
medium
33. Privilege Escalation & Lateral Movementhigh
Dump credentials (Mimikatz, lsassy) and pivot laterally using WMI, PsExec, and RDP.
high
44. Backup Tamperingcritical
Extract Veeam configurations (HackTool.PS1.VeeamCreds) and delete backup shadow copies.
critical
55. Data Exfiltrationhigh
Stage data with WinRAR and transfer to cloud providers (MEGA) via Rclone.
high
66. Multi-Threaded Encryptioncritical
Run Rust encryptor, terminate agent services, append '.inc', and print hardcopy ransom notes.
critical

INC Ransom - Observed MITRE ATT&CK Techniques

Initial Access

T1190

Exploit Public-Facing Application

T1566

Phishing

T1133

External Remote Services

T1078

Valid Accounts

Credential Access

T1003

OS Credential Dumping

Lateral Movement

T1570

Lateral Tool Transfer

Defense Evasion

T1562.001

Impair Defenses: Disable or Modify Tools

Impact

T1486

Data Encrypted for Impact

T1490

Inhibit System Recovery

T1491.001

Internal Defacement

Selected Threat Indicators & Exploit Targets

ip
185.214.132.35
Associated C2 & Exfiltration Server
ip
185.214.132.35
Associated C2 & Exfiltration Server
ip
208.67.220.220
Associated C2 Server
ip
208.67.220.220
Associated C2 Server
domain
inc-ransom.com
Dedicated Leak Site (DLS)
domain
inc-ransom.com
Dedicated Leak Site (DLS)
cve
CVE-2023-3519
Citrix NetScaler Gateway RCE Vulnerability
cve
CVE-2023-3519
Citrix NetScaler Gateway RCE Vulnerability
cve
CVE-2023-48788
Fortinet FortiClient EMS SQL Injection
cve
CVE-2023-48788
Fortinet FortiClient EMS SQL Injection
cve
CVE-2025-5777
Citrix Bleed 2 Information Disclosure
cve
CVE-2025-5777
Citrix Bleed 2 Information Disclosure

Enterprise Hardening & Containment Recommendations

Progress0 / 5 (0%)

Apply gateway security updates immediately
Prioritize critical patches for Citrix NetScaler, Fortinet, and SimpleHelp systems.
Deploy behavioral rules for backup deletion
Flag command strings calling vssadmin.exe or wmic.exe shadowcopy deletions.
Audit environment for rogue remote management tools
Monitor and block unauthorized executions of AnyDesk, ScreenConnect, and Atera.
Isolate backup architecture from primary Active Directory
Deploy offline, immutable, non-domain joined recovery systems.
Enforce multi-factor authentication (MFA)
Implement phishing-resistant MFA across all internal and remote access interfaces.

How to Defend Against Similar Threats

Isolate all backup architectures from the primary active directory domain and establish immutable, offline storage nodes.
Perform comprehensive audit on internal remote monitoring and management (RMM) software to block unauthorized execution.
Deploy active EDR and SIEM rules to detect and alert on volume shadow copy deletion commands and credential dumping.
Run external vulnerability assessments to discover and remediate unpatched edge gateway appliances immediately.

Threat Intel FAQ

What is INC Ransom and how does it target organizations?

INC Ransom (also known as GOLD IONIC) is a ransomware-as-a-service (RaaS) group that utilizes a double-extortion model. They steal highly sensitive organizational files before deploying a multi-threaded Rust-based encryptor that appends the ".inc" extension. The group deliberately targets downtime-sensitive industries, including healthcare and corporate services, to force quick ransom payments.

How does INC Ransom prevent victims from restoring from backups?

INC Ransom affiliates target the backup systems early in the attack chain. They use custom harvesting tools like HackTool.PS1.VeeamCreds to extract and decrypt DPAPI credentials from Veeam databases. Once they gain access to the backup administrators' dashboard, they delete or encrypt the backup catalogs, preventing the victims from rebuilding their networks without the decryption key.

Could a similar threat affect your organization?

If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.