INC Ransom adds US city governments and eye clinics to leak site

The ransomware crew known as INC Ransom has spent the past few days stacking its dark web leak site with a fresh run of victims, and the pattern is hard to miss: small US city governments and healthcare clinics sit at the center of the list, alongside a cluster of Brazilian companies. The gang uses these public listings to pressure organizations into paying, threatening to publish stolen files if they refuse.

Between June 30 and July 3, IntelFusions tracked roughly a dozen new entries attributed to INC Ransom on ransomware.live, the public index that mirrors extortion leak sites. Among the named targets are the city of Oak Park, Michigan, an inner-ring Detroit suburb of about 30,000 residents, and the city of Acworth, Georgia, in the Atlanta metro area. A third public sector victim, Flowers Early Learning (formerly Tri-County Head Start), runs federally funded early childhood programs across three Southwest Michigan counties.

An important caveat: everything on a leak site is an unverified claim made by the attackers. Being listed means the gang says it stole data, not that any victim has confirmed a breach. None of the organizations named here has publicly acknowledged an incident at the time of writing, and some listings can be exaggerated or recycled. Treat them as allegations, not established fact.

Healthcare clinics in the crosshairs

The health sector features heavily in this batch. INC Ransom listed Hamilton Eye Institute, an eye care practice with locations in Allentown and Easton, Pennsylvania; Colorado Rehabilitation and Occupational Medicine, a Denver-area physiatry group with clinics along the Front Range; and Horizon Eye Care, a network of optometry and surgical eye clinics. Smaller medical and specialty practices are attractive to ransomware crews because they hold sensitive patient records but rarely staff a mature security team, which makes them easier to breach and more likely to pay quickly to keep records off the internet.

The gang also reached outside the United States, listing Brazilian firms including Tambasa Atacadistas, one of the country's larger wholesale distributors, freight carrier Carvalima Transportes, and metal fabricator Estrutural Zortea, plus a UK business services firm and an Italian target.

Who is INC Ransom

INC Ransom, also tracked as GOLD IONIC, is an established ransomware-as-a-service operation active since 2023 and known for double extortion, encrypting a victim's files while also stealing data to use as added leverage. It has repeatedly gone after local government, education, and healthcare bodies, sectors that pair sensitive data with tight security budgets. You can follow the group's activity on the IntelFusions INC Ransom profile. This week's run is part of a broader uptick in leak-site postings from newer and mid-tier crews; see our coverage of a similar spree by the CMD crew against a Norwegian municipality and healthcare firms.

What defenders should do

Organizations in local government and healthcare should assume they sit on target lists like this one. Prioritize offline, tested backups; enforce phishing-resistant multi-factor authentication on remote access and email; patch internet-facing systems and VPN appliances promptly; and segment networks so one compromised machine cannot reach everything. If your organization turns up on a leak site, engage incident response and, where required, breach-notification counsel early rather than waiting for the gang to publish.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions