INC RANSOM took responsibility for 4 ransomware attacks in the US recently. The institutions that were hit are Black Butte Coal, Waterford Country School Inc, Benjamin Plumbing Inc, and Corbett Exterminating Inc.
INC RANSOM appears to be strictly financially motivated, as it has shown no evidence of political or ideological affiliation. The recent attacks also appear uncoordinated and unrelated, as the 4 victims belong to different industries.
These include coal extraction, education, plumbing, and pest control. INC RANSOM is known to hit multiple industries indiscriminately, such as health, housing, furniture, construction, and even governmental agencies.
The evidence of the attacks was posted on the 29th, which suggests that they all took place at the same time. This supports the idea that INC RANSOM is a more dangerous and resourceful ransomware actor than it lets out.
INC RANSOM first stood out in August, 2023, but it grew exponentially since then. More importantly, unlike other young ransomware actors, this one appears a lot more competent and well-put together. There are a lot of theories to why that is.
The most plausible one has to do with the blog similarities between INC RANSOM and Lockbit. The code isn’t similar, but the blog is and, when it comes to hacktivist groups and ransomware actors, many argue that there are no coincidences.
This implies that INC RANSOM is either a branch of Lockbit, a subcontractor, or one of Lockbit’s alter-egos. That being said, INC RANSOM does have a different MO than Lockbit or any other ransomware entity for that matter.
The thing that separates this organization from others like it is the negotiation tactic. Generally, ransomware actors threaten the victim to expose the stolen data publicly, unless consensus is reached regarding the ransom payment.
But INC RANSOM leaks some of the data before and during the negotiations. The actor will leak partial screenshots of the available data to motivate the victim to pay. They may also accuse the victim of illegal activity and resort to blackmail to secure the payment.
This approach qualifies INC RANSOM as a resourceful and innovative ransomware actor. One with significant room to grow and self-improve.
We believe security online security matters and its our mission to make it a safer place.