INC_RANSOM
INC_RANSOM is a ransomware group that posted Stuga Machinery, a UK manufacturer, as a victim on 5 June 2026.
Last refreshed: 7 June 2026 · Appears in 1 active topic
How does INC_RANSOM choose its UK victims and what happens after a leak-site posting?
Timeline for INC_RANSOM
Mentioned in: Ransomware tempo holds at 95 in May
Cybersecurity: Threats and Defences- What is INC_RANSOM and which organisations has it attacked?
- INC_RANSOM is a double-extortion ransomware group active since mid-2023. It encrypts victim systems and threatens to publish stolen data on a dark-web leak site. Notable victims include NHS Scotland in early 2024 and UK manufacturer Stuga Machinery posted in June 2026. The group targets healthcare, manufacturing and professional services in North America and Europe.Source: NCSC guidance, NHS Scotland incident reporting, BlackFog ransomware report
- Did INC_RANSOM attack the NHS?
- Yes. In early 2024, INC_RANSOM attacked NHS Scotland, specifically Dumfries and Galloway NHS Board and NHS Lanarkshire, encrypting systems and stealing patient data. The group threatened to publish the stolen data. The incidents prompted NCSC guidance and ICO scrutiny. INC_RANSOM continued UK targeting in June 2026 with the posting of manufacturer Stuga Machinery.Source: NHS Scotland incident reports, NCSC advisory
- What should a company do if INC_RANSOM posts it on their leak site?
- A leak-site posting means INC_RANSOM is asserting it has stolen data and is using the threat of publication as leverage. Affected organisations should immediately engage a specialist Incident Response firm, notify the ICO within 72 hours under UK GDPR Article 33, preserve all forensic evidence, and seek specialist legal advice before any ransom payment consideration. Payment does not guarantee data deletion.Source: NCSC incident response guidance, ICO breach notification requirements
Background
INC_RANSOM (also written INC Ransom) is a ransomware group that emerged in mid-2023 and operates on a double-extortion model: encrypting victim data and threatening to publish stolen files on its dark-web leak site if ransom demands are not met. The group targets organisations across manufacturing, healthcare, professional services and government sectors in North America and Europe. INC_RANSOM claimed its first publicly notable healthcare victims in 2024, including attacks on NHS Scotland (affecting Dumfries and Galloway NHS Board and NHS Lanarkshire) in early 2024, which resulted in significant operational disruption and the theft of patient data. The NHS Scotland incident drew scrutiny from the UK Information Commissioner's Office and prompted NCSC guidance on healthcare ransomware exposure.
In the cyber-threats-and-defences briefing window (1-5 June 2026), INC_RANSOM posted Stuga Machinery, a UK SME machinery manufacturer, as a victim on 5 June 2026, making it the only in-window UK ransomware victim confirmed in the BlackFog May 2026 tempo data. Stuga Machinery's posting on the INC_RANSOM leak site implies that data exfiltration has occurred or is being threatened, with the posting serving as a public pressure mechanism to compel payment before data publication.
INC_RANSOM is distinguished by its selective, mid-to-large victim targeting compared to high-volume SME-focused groups like Phobos. Its ransomware is technically sophisticated with customisable per-victim configurations and uses legitimate system administration tools (LOLBins) for lateral movement to evade EDR detection. The group's UK targeting across healthcare and now manufacturing makes it a persistent threat to organisations in regulated British industries.