INC Ransom’s Expanding Footprint: From Global Targets to U

October 02, 2025

Ransomware groups continue to refine their tactics, expanding both their technical infrastructure and methods of coercion to pressure victims. Among them, INC Ransom has emerged as a persistent and adaptable threat actor, maintaining a steady pace of attacks across multiple sectors worldwide. Since mid-2023, the group has been linked to hundreds of incidents, ranging from government agencies to critical industries.

What sets INC Ransom apart is not only the volume of its activity but also the way it blends redundant leak portals, public amplification strategies, and underground malware distribution channels into a cohesive ecosystem. This layered approach makes takedowns more difficult and gives the group multiple avenues to maximize impact against victims.

The following report explores how INC Ransom operates, with a focus on its recent activity targeting U.S. institutions. Using StealthMole’s monitoring capabilities, we trace the group’s infrastructure, victim disclosures, and exposure pathways, building a clearer picture of how INC Ransom sustains its campaigns and the risks it poses going forward.

Incident Trigger & Initial Investigation

On 21 September 2025, StealthMole’s ransomware monitoring system detected a new victim by INC Ransom, naming the Pennsylvania Office of Attorney General (OAG). The entry appeared on the group’s Tor-based leak site at:

http://inc***********************************************************4

The post included proof-of-compromise material and followed INC’s established double-extortion pattern. Given the agency’s role in prosecutions and law enforcement, the leak was immediately recognized as a high-impact development with risks extending beyond operational disruption.

Initial investigation confirmed that the listing was genuine and tied to INC Ransom’s broader ecosystem of leak sites and negotiation portals. At the same time, queries across StealthMole’s Compromised Data Sets revealed a much deeper issue: accounts linked to the Pennsylvania OAG have been repeatedly exposed in underground markets for years, with fresh leaks still appearing in September 2025. The Compromised Data Set alone returned hundreds of results dating back to 2018, while Combo Binder and ULP Binder searches surfaced large collections of usernames and passwords packaged into breach compilations. Credential Lookout further expanded this picture, identifying thousands of additional exposures that show just how widely the agency’s accounts have circulated across criminal forums and databases.

The convergence of a new ransomware listing with such an extensive history of leaked credentials offered the first strong lead into how the attackers may have gained a foothold. While direct forensic evidence of intrusion vectors remains unavailable, the persistence of exposed accounts, some appearing just days before the incident, strongly suggests that INC Ransom may have leveraged readily available access from these underground sources. With this foundation, we expanded the investigation to map INC Ransom’s infrastructure, malware distribution, and amplification tactics, threads that, when connected, reveal how the group sustains its campaigns and why this case matters beyond a single incident.

Operational Ecosystem of INC Ransom

The disclosure of the Pennsylvania Office of Attorney General was not an isolated entry but part of a broader and carefully structured ecosystem. By correlating StealthMole’s ransomware monitoring, dark web tracker, and malware datasets, the investigation revealed how INC Ransom maintains resilient infrastructure, distributes technical artifacts, and amplifies its presence through underground networks.

Infrastructure and Leak Sites

The victim listing for Pennsylvania OAG first appeared on INC’s primary Tor-based leak portal:

  • http://incblog6*************************************************4

This entry established the initial proof-of-compromise. But INC Ransom’s infrastructure is deliberately redundant, with mirrored sites and alternative access points.

  • Secondary Disclosure Sites (Tor):
  • incblog7******************************************id.onion – often referenced in ransom notes, acting as a parallel blog.
  • incbacg6****************************************ityd.onion – linked via darkweb tracker correlations, functioning as a mirror.
  • incback******************************************7qd.onion – another backup to ensure uptime.
  • 7cau5********************************************uad.onion – identified during malware linkage, suggesting an expanding cluster of blogs.

  • Payment / Negotiation Portals (Tor):
  • incpay********************************************id.onion – confirmed victim login portal with unique IDs for negotiation.
  • incpaysp*****************************************nad.onion – related payment domain with additional malware correlations.

  • Clearweb Gateways:
  • http://in****t.su/ – widely circulated as an entry point for victims not using Tor.
  • http://in****t.blog/ and http://in****t.blog/blog/leaks – active blog mirrors that lower the barrier to access.
  • http://in******g.su/ – promoted on Telegram channels to advertise new infrastructure.

This layered structure demonstrates operational maturity: leak portals exert public pressure, payment portals control victim communication, and clear web gateways guarantee accessibility. By spreading infrastructure across Tor and clear web domains, INC ensures resilience against takedowns and maximizes visibility.

Malware and Technical Artifacts

StealthMole’s dark web tracker associated INC’s negotiation portals with malware distribution, uncovering 38 unique hashes across the infrastructure. The overlap across domains strengthens attribution to a single operational cluster.

  • Hashes linked to incpayk***************************id.onion (29 results):
  • 7cce***************************************************2dd0
  • 4630***************************************************e8e3
  • 1a50***************************************************b169
  • 81f0***************************************************b1f8
  • 39e1***************************************************9449
  • 02f4***************************************************017a
  • 9ac5***************************************************ec7d
  • c600***************************************************3090
  • e17c***************************************************d261
  • 7f10***************************************************2d51
  • 0bcd***************************************************10bb
  • 58ce***************************************************f8d7
  • 36e4***************************************************1dd4
  • 5023***************************************************15c2
  • 9090***************************************************eecf
  • d1e0***************************************************1e11
  • 62ce***************************************************6750
  • 7c90***************************************************cb28
  • df11***************************************************16af
  • e68b***************************************************1c4e
  • 75d1***************************************************7bc4
  • 75ca***************************************************53e3
  • 4089***************************************************aa2f
  • e864***************************************************8a85
  • c3d8***************************************************9f54
  • 34a8***************************************************ab6b
  • 5e3c***************************************************a5db
  • fabd***************************************************6ada
  • 5a88***************************************************1486

  • Hashes linked to incpays****************************ad.onion (9 results):

  • 5079***************************************************f0ba
  • 11cf***************************************************10bd
  • 05e4***************************************************c5a9
  • 0e3f***************************************************7c3e
  • fba6***************************************************d382
  • 1692***************************************************1f48
  • 0cb4***************************************************3c42
  • cbeb***************************************************1861
  • 508a***************************************************2cef

These artifacts serve as concrete indicators of compromise, linking the negotiation portals to active malware tooling.

Ransom Note and Extortion Tactics

The ransom note recovered in this case exemplifies INC’s playbook. Victims are told their files are encrypted and stolen, with threats to leak data via Tor (incblog6..., incblog7...) or clearweb (in****t.su, in****g.su) portals if ransom is not paid.

  • Incblog6**********************************************ad.onion
  • Incblog7**********************************************id.onion

Access is mediated through victim-specific credentials on negotiation domains, where chats are conducted. The note also emphasizes that INC is “not politically motivated” but driven by financial goals, framing the ransom as a “paid security training.” These rhetorical devices aim to normalize payment while discouraging law enforcement involvement.

Telegram Amplification

StealthMole’s Telegram tracker shows INC does not rely solely on its portals. When infrastructure changes, announcements, such as the move to in****g.su, are cross-posted in at least 30 prominent ransomware-focused Telegram groups, including LockBit-affiliated channels and forums linked to Raidforums communities. This practice serves two purposes: ensuring victims can still find INC’s sites, and reinforcing the group’s profile within the underground. Such amplification demonstrates how INC integrates into the wider ransomware ecosystem rather than operating in isolation.

Victimology

The Pennsylvania OAG is one of many significant targets claimed by INC Ransom. Other listings observed include the State Bar of Texas, the Kittery Police Department, and South African Airways, in addition to numerous private-sector organizations. Since August 2023, StealthMole’s ransomware monitoring tool attributes 457 victims to INC Ransom. The group’s willingness to target law enforcement and justice-sector institutions underscores both its aggressiveness and the risks it poses to sensitive public agencies.

Assessment

The Pennsylvania OAG case demonstrates that INC Ransom has matured into a structured and persistent operation, one that blends technical capability with strategic communication. Several themes emerge from the investigation.

First, the group’s infrastructure design reflects resilience and professionalization. The use of multiple mirrored leak portals, dedicated payment domains, and clearweb gateways shows that INC has adopted the layered model common to top-tier ransomware groups such as LockBit and BlackCat. This makes disruption more difficult, while simultaneously ensuring that victims always have a reliable entry point for negotiation.

Second, the integration of malware distribution into negotiation portals suggests an ecosystem approach. By tying malicious binaries to the same infrastructure used for extortion, INC blurs the line between initial access tooling and extortion operations. The discovery of 38 unique malware hashes linked directly to their portals confirms that these are not static sites but dynamic components of their attack chain.

Third, the group relies heavily on credential exposure as a pathway to compromise. StealthMole’s datasets revealed over 4,400 compromised accounts tied to the Pennsylvania OAG alone, with fresh leaks appearing just days before the public disclosure. While definitive forensic attribution of entry vectors is unavailable, the overlap in timing strongly suggests that credential stuffing or purchased access facilitated this intrusion. The fact that similar exposures were observed for Texas and Ohio Attorney General offices points to a systemic vulnerability across the U.S. justice sector.

Fourth, INC’s information operations amplify the pressure of their attacks. By cross-posting migration announcements across at least 30 prominent ransomware-focused Telegram channels, INC ensures its visibility and credibility in the underground. This tactic not only increases reputational leverage against victims but also signals to affiliates and competitors that the group is active, stable, and worth engaging with.

Finally, the group’s victimology demonstrates a willingness to target sensitive institutions. Law enforcement agencies, legal associations, and airlines are among the 457 victims attributed to INC between August 2023 and September 2025. The inclusion of the Pennsylvania OAG underscores an escalation into the justice sector, where disruption has the potential to undermine criminal prosecutions and erode public trust.

Taken together, these findings point to a mature, opportunistic, and resilient ransomware operation. INC Ransom combines accessible infrastructure, opportunistic credential abuse, and aggressive amplification to maximize both impact and visibility. In the absence of systemic improvements in credential hygiene and cross-agency security, similar institutions remain at elevated risk of compromise.

Conclusion

The ransomware attack on the Pennsylvania Office of Attorney General illustrates how long-term digital exposure and resilient adversary infrastructure converge to create high-impact compromises. INC Ransom’s use of mirrored leak sites, negotiation portals, malware distribution, and Telegram amplification reflects a mature operational model designed to withstand disruption and maximize leverage.

StealthMole’s investigation shows that this incident cannot be viewed in isolation. The presence of more than 4,400 compromised credentials tied to the agency over multiple years highlights how systemic weaknesses in account security can be exploited repeatedly by opportunistic threat actors. With similar exposures evident at other state Attorney General offices, this case underscores the need for coordinated remediation across the justice sector.

Ultimately, the Pennsylvania OAG disclosure reveals both the operational sophistication of INC Ransom and the persistent vulnerabilities of public institutions. By combining infrastructure mapping, malware tracking, and underground credential analysis, StealthMole provides a comprehensive view of the ecosystem behind the attack — enabling stakeholders to understand not only what happened, but why such incidents will continue without structural change.

Editorial Note

While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations can never be guaranteed with complete certainty. The connections drawn are based on available open-source intelligence and StealthMole platform data. However, attribution remains probabilistic and subject to change as new information emerges.

The primary goal of this report is not just attribution, but to showcase how StealthMole’s platform enables comprehensive, efficient, and intuitive profiling of threat actors through integrated tools such as Dark Web & Telegram Trackers, ULP Binder, the Compromised Data Set and others. These tools allow even independent researchers to connect dots across aliases, infrastructure, and behavioral patterns, transforming fragmented data into actionable intelligence.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Labels:

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report