Morgan County GA Ransomware Claim by INC Ransom (April 2026)

Claim Summary

The ransomware group known as INC Ransom has posted an unverified claim of a cyberattack against Morgan County, Georgia (morgancountyga.gov). According to their leak site, the alleged intrusion occurred on April 11, 2026. The threat actor’s post describes the county’s operations, highlighting public safety services like the Sheriff’s Office and Fire Rescue, public transit, and recreational facilities. The group claims to have accessed data but has not disclosed the specific volume or types of files exfiltrated at this time. The listed employee count is 50 with a revenue of $23 million.

Threat Actor Profile

INC Ransom is an established ransomware-as-a-service (RaaS) operation with a significant track record, having claimed over 725 victims. The group is known for a double-extortion model, stealing data before encryption and threatening to publish it. Their known toolset includes credential access tools like Mimikatz, network discovery utilities such as AdFind and Advanced IP Scanner, and exfiltration tools including BackBlaze, MEGA, and Restic. Secureworks research associates the group with a threat cluster dubbed “Gold Ionic,” noting their use of living-off-the-land binaries (LOLBins) for deployment. Huntress has also documented their TTPs, including the use of the finger command for reconnaissance. Security firms have published detection guidance, including YARA rules, based on their custom ransomware binary and deployment scripts.

Alleged Data Exposure

While INC Ransom has not provided a detailed data leak or samples in this initial claim, the descriptive nature of their post suggests they purportedly gained access to systems managing sensitive county functions. The implied scope includes information related to public safety operations (Sheriff’s Office, Fire Rescue), public transit, community initiatives, and resident services. The potential exposure could involve internal administrative data, resident information, or operational details. The group typically follows up with proof packs, so the absence of specific file lists is not unusual for an initial posting.

Potential Impact

As a local government entity, Morgan County manages critical public safety and resident services. A confirmed breach could disrupt emergency response coordination, transit services, and public communications. The exposure of resident data could lead to privacy violations and identity theft risks. Furthermore, such an attack could erode public trust in local government’s ability to protect sensitive information. Operational downtime from system encryption could delay essential services like permitting, court functions, and utility management.

What to Watch For

1. Proof of Claims: Monitor for follow-up posts from INC Ransom that may include file tree listings, document samples, or screenshots as proof of the alleged breach.
2. Official Statement: Await an official incident notification or statement from Morgan County government authorities.
3. Broader Campaigns: Given INC Ransom’s high volume of attacks, this may be part of a broader targeting campaign against municipal or county governments.
4. IOCs and Detection: Security teams should review existing YARA rules and detection logic for INC Ransom tools and binaries, paying close attention to network scanning activity and the use of cloud storage services for data exfiltration.

Disclaimer

This report is based on an unverified claim from a ransomware group’s data leak site. The information presented here, including the alleged attack, data exposure, and group details, has NOT been independently confirmed by Yazoul Security or external sources. Ransomware groups frequently exaggerate claims to pressure victims into paying. This analysis is for defensive threat intelligence purposes only. Organizations should not treat this as a confirmed breach without official verification from the affected entity.

Update - May 2026

As of May 10, 2026, Morgan County, Georgia has not issued a public statement or data breach notification confirming or denying the IncRansom intrusion first claimed on April 11. The county’s website remains operational, but no official acknowledgment has been posted. On the data leak side, IncRansom has not published a dump to its dark web leak site as of this update; the victim entry currently appears as “pending” or “under review,” suggesting negotiations may be ongoing or the ransom demand remains unpaid.

IncRansom has continued targeting municipal and county-level governments throughout April and early May, with at least three additional Georgia-adjacent county websites appearing on their leak board. This pattern aligns with the group’s known operational focus on under-resourced local government networks. Notably, several of these recent targets also lack public incident reports, indicating a broader, possibly automated campaign exploiting unpatched edge devices and weak RDP configurations.

Defenders in county and municipal government sectors should monitor for IncRansom’s TTPs, particularly exploitation of known vulnerabilities in VPN appliances and legacy Exchange servers. In addition to web application firewalls and MFA enforcement, organizations should audit for unmonitored RDP access and review all active vendor remote connectivity points. Sector-wide advisories from MS-ISAC and CISA regarding state-aligned ransomware remain relevant, as IncRansom is believed to have ties to Russian-speaking criminal networks.