
June 19, 2026
Ransomware-as-a-service group INC Ransom has targeted US healthcare provider Horizon Eye Care, claiming to have exfiltrated sensitive organizational data. We analyze their multi-stage attack chain and detail critical mitigation steps for enterprise defenders.


Exploit public-facing edge devices or purchase stolen RDP/VPN credentials.
Install unapproved RMM tools (AnyDesk, Atera, ScreenConnect) and map networks.
Dump credentials (Mimikatz, lsassy) and pivot laterally using WMI, PsExec, and RDP.
Extract Veeam configurations (HackTool.PS1.VeeamCreds) and delete backup shadow copies.
Stage data with WinRAR and transfer to cloud providers (MEGA) via Rclone.
Run Rust encryptor, terminate agent services, append '.inc', and print hardcopy ransom notes.
If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.
Legal firm Vogeler Rechtsanwälte has been targeted by the Cloak ransomware group, with attackers claiming possession of 1.1 TB of organizational data. We analyze the implications of this incident and how firms can protect against high-stakes exfiltration threats.

June 19, 2026
KRYBIT ransomware actors claim to have exfiltrated 316 GB of data from AASA CP Holding. We break down the implications for GCC enterprises and outline immediate defensive priorities to mitigate similar risks.

The PEAR ransomware group has claimed an attack on Optimum First Mortgage, alleging the theft of 9.3 TB of sensitive data including PII, PHI, and financial records.
This original source is hosted on the Tor network. Use Tor Browser to open it, and treat the forum as untrusted while reviewing the post.
Onion URL
http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures/6a3926cc5ae71db30c25aebd
Free exposure check
Dark Web Scanner
check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain.
Exposing corporate environments to Initial Access Brokers and unpatched edge devices frequently serves as the launchpad for ransomware-as-a-service (RaaS) operations. In a critical security disclosure, the INC Ransom group (also known as GOLD IONIC) listed United States-based healthcare provider Horizon Eye Care (horizoneye.com) on its dark web leak portal, claiming to have exfiltrated sensitive organizational and patient data. This development underscores the continuous targeting of the medical sector by aggressive double-extortion syndicates, which actively seek high-impact disruptions to force rapid payouts.
INC Ransom is a highly sophisticated RaaS operation that emerged in mid-2023. Known for utilizing a double-extortion model, the group exfiltrates vast volumes of sensitive corporate and regulatory records before deploying its file-encrypting payload. In recent campaigns, the group has adopted highly optimized, multi-threaded encryptors compiled in Rust. This architectural shift significantly complicates signature-based detection and hinders traditional security analyst reverse-engineering efforts.
By focusing heavily on downtime-sensitive industries, specifically healthcare, medical practices, and public sectors, INC Ransom maximizes pressure. The threat group often targets critical infrastructure where operational downtime directly impacts client care and compliance standings. For organizations managing sensitive patient files, such incidents expose severe regulatory liabilities under healthcare security standards.
To defend against INC Ransom, security teams must understand the exact technical phases that define their intrusions. Although entry vectors can vary, their systematic methodology once inside a network remains highly structured.
Threat actors affiliated with INC Ransom typically achieve initial entry through two primary vectors. First, they exploit high-severity vulnerabilities in public-facing appliances, such as unpatched VPN gateways and remote access tools. Second, they utilize stolen credentials procured from initial access brokers or harvested through targeted phishing campaigns. Proactive Attack Surface Management is crucial for identifying these exposed entry points and vulnerable edge devices before adversaries can discover them.
Once initial entry is established, the attackers deploy legitimate remote monitoring and management (RMM) utilities, such as AnyDesk, ScreenConnect, Atera, or SimpleHelp. Using these legitimate tools allows the adversaries to maintain persistent access while flying under the radar of traditional endpoint detection tools. To map the internal network structure, they run utilities such as SoftPerfect Network Scanner (NETSCAN.EXE) and Advanced IP Scanner, identifying key active directories, backup repositories, and database servers.
To escalate privileges, the group uses credential harvesting utilities such as Mimikatz and lsassy, alongside privilege assessment scripts like WinPEAS. Once administrative control is achieved, lateral movement is performed rapidly across the environment. This is accomplished using standard administrative channels, including Remote Desktop Protocol (RDP), PsExec, and Windows Management Instrumentation (WMI), allowing the attackers to pivot from low-privilege endpoints to high-value domain controllers.
A key signature of INC Ransom operations is the systematic destruction of the victim's recovery capabilities. The threat actors routinely deploy specialized credential extraction scripts, such as HackTool.PS1.VeeamCreds, designed specifically to locate and decrypt salted DPAPI credentials associated with Veeam backup software. With these credentials, they compromise the backup infrastructure, deleting or encrypting backup catalogs first to block any attempt at offline system restoration.
Before launching the final encryption phase, the stolen database files, patient charts, and financial records are compressed using WinRAR or 7-Zip. The staged archives are then exfiltrated to cloud storage repositories (such as MEGA) utilizing Rclone or specialized sync utilities. If credentials or files are leaked to the public, organizations need ongoing visibility. Implementing Dark Web Monitoring ensures that any exposed administrative accounts or exfiltrated files are immediately flagged for remediation.
The final phase involves executing the multi-threaded Rust encryptor. This binary automatically terminates endpoint security agents, halts active database services, and begins rapid file encryption. It appends the ".inc" extension to all locked files. In a distinctive psychological tactic, commands are also sent to local network printers to continuously print physical copies of the ransom instructions (INC-README.TXT).
Security operations center (SOC) teams should implement proactive detection rules within their SIEM and EDR platforms to catch INC Ransom behavior. Below are critical detection patterns mapped to the group's specific actions.
Ransomware operators routinely execute commands to destroy local backup copies. Monitor command-line executions for the following patterns:
process_name == "vssadmin.exe" AND command_line CONTAINS "delete shadows"
OR
process_name == "wmic.exe" AND command_line CONTAINS "shadowcopy delete"Flag any unauthorized processes or command-line interpreter scripts (such as PowerShell) querying the Veeam backup registry hive:
registry_path CONTAINS "HKLM\SOFTWARE\Veeam\Veeam Backup and Replication"
AND initiator_process != "Veeam.Backup.Shell.exe"Audit system logs for the execution of unapproved RMM tools. Establish an alert for binary executions of software like AnyDesk or Atera originating from non-standard system paths:
process_name IN ("anydesk.exe", "atera.exe", "screenconnect.exe")
AND file_path NOT IN ("C:\Program Files\", "C:\Program Files (x86)\")For organizations operating in regulated spaces like healthcare, the business disruption caused by a double-extortion event is severe. Beyond immediate operational downtime, entities face severe regulatory fines, litigation risks over patient privacy violations, and long-term brand damage.
To defend against these persistent RaaS campaigns, enterprise security leaders should adopt the following defensive strategies:
Enforce Strict Network Segmentation: Separate production directories, critical database servers, and management networks. Restrict internal RDP and SMB traffic to prevent effortless lateral movement.
Protect and Isolate Backups: Ensure that backup infrastructure is hosted on isolated networks that are completely separate from the primary Active Directory domain. Implement immutable backup storage with offline replication.
Implement Multi-Factor Authentication (MFA): Enforce phishing-resistant MFA across all external access pathways, including corporate VPNs, remote desktop gateways, and cloud applications.
Regular Vulnerability Assessments: Conduct continuous vulnerability scanning and systematic penetration testing of all external-facing systems, particularly virtual private network gateways and remote access appliances.