Threat Intelligence Tarot
Vol. II · 135
Criminal (RaaS)
risk 4/5
The Incorporated Hunger
INC Ransom
Lynx · INC Group
HealthcareManufacturingGovernmentCritical infrastructure
Active since ~2023 · Extortion, Financial gain
The Incorporated Hunger files paperwork in the language of business: terms of payment, schedules of release, data-handling addenda. The corporate vocabulary masks the obvious — there is nothing legal about any of it.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1486
Data Encrypted for Impact
Impact
T1078
Valid Accounts
Persistence
T1190
Exploit Public-Facing Application
Initial Access
T1567.002
Exfiltration to Cloud Storage
Exfiltration
T1490
Inhibit System Recovery
Impact
T1027
Obfuscated Files or Information
Defense Evasion
Notable Operations
  • NHS Scotland (Dumfries and Galloway) breach (2024)
  • Yamaha Motor Philippines breach (2023)
  • Lynx rebrand and code reuse (mid-2024)
  • Citrix Bleed (CVE-2023-4966) opportunistic exploitation
Defenses
  • CISA KEV catalog patching SLAs (15 days for federal-aligned)
    CISA BOD 22-01
  • Credential leak monitoring with mandatory rotation
    NIST CSF: PR.AC
  • Network segmentation between IT and OT in critical infrastructure
    NIST SP 800-82
  • Tabletop exercises covering data-extortion-only scenarios
    NIST SP 800-61
Reversed: Their Weakness
Patching of known-exploited CVEs within CISA-mandated timelines, combined with credential hygiene, eliminates this operator's most reliable openings.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Petrifying GazeNext →The Beast of Edicts
Related Adversaries
The Loud Shame
8Base
6 shared TTPs
The National Brownout
Brain Cipher
5 shared TTPs
The Self-Encrypting Thorn
Cactus
5 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.