The ransomware crew known as INC Ransom spent the weekend expanding its extortion campaign across Asia, adding about a dozen organizations to its dark web leak site over the past seven days and naming seven of them in a single day on Saturday. The fresh listings skew heavily toward Asia-Pacific manufacturers, chipmakers and food producers.
These are unverified claims, not confirmed breaches. When a gang like INC Ransom adds a company to its leak site, it is asserting that it stole internal data and is pressuring the victim to pay before the files are published. Some named targets never confirm an incident, and a listing on its own is not proof that any network was compromised.
Who is on the list
Saturday's batch centered on the Asia-Pacific region. It included the Taiwanese chip and materials firms v-silicon and D.MAG New Material Technology, Vietnamese food-additive maker Vedan, the Singapore beverage brand Pokka, and Philippine logistics operator FAST Logistics Group. The group also posted South Africa's Reatile Group and the US grower V&P Nurseries. Earlier in the week it listed Japanese equipment maker Kyokuto Kaihatsu Kogyo, UK financial-services firm ASA International, and a small US community lender, the State Bank of Nauvoo.
The spread of sectors, spanning semiconductors, industrial manufacturing, food and beverage, logistics and banking, fits INC Ransom's opportunistic pattern rather than a single-industry campaign. What stands out this week is the geographic tilt toward East and Southeast Asia.
Who INC Ransom is
INC Ransom, also tracked as GOLD IONIC, is a double-extortion operation that surfaced in 2023 and has claimed victims across healthcare, government and industry. Double extortion means the attackers steal data before encrypting systems, then threaten to leak the stolen files if the ransom is not paid, so even organizations with solid backups still face the prospect of a public data dump. Earlier this month the same group added US city governments and eye clinics to the same leak site. A fuller history sits on our INC Ransom profile.
Why it matters
Weekend and holiday windows are a favorite of leak-site operators, who post when victim security and communications teams are thinnest. The Asia-Pacific concentration also lands while other crews keep their own leak sites busy, including Qilin, which recently listed 31 victims across 15 countries. Named companies should treat a listing as a credible signal of possible data theft even before they can confirm it.
What potential victims should do
Organizations that see their name on the leak site, or that operate in the affected sectors and regions, should assume data may have been taken and act accordingly: preserve and review logs, engage incident response, hunt for signs of INC Ransom activity such as unexpected data staging and exfiltration, reset exposed credentials, and prepare regulator and customer notifications in case stolen files are published. Do not act on a payment demand based on a listing alone without first verifying the claim.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.