Teamsters Local 773 Hit by INC Ransom (Apr 2026)

Claim Summary

On April 22, 2026, the INC ransomware group allegedly added Teamsters Local 773 (teamster773.org) to its leak site. The victim is a US-based labor union representing workers in the Greater Lehigh Valley, Pennsylvania, with approximately 50 employees and $5 million in annual revenue. The threat actor claims to have exfiltrated data from the organization, though the volume and specific contents remain undisclosed. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

INC ransomware (also tracked as GOLD IONIC) is a financially motivated group active since at least 2021. According to available research, the group has claimed 725 victims across multiple sectors, with a focus on manufacturing, healthcare, and logistics. Their operational history suggests moderate credibility - while they have successfully executed attacks, they are known to exaggerate data volumes and victim counts.

Known tools and tactics associated with INC ransomware include:

• Reconnaissance: Advanced IP Scanner, SoftPerfect NetScan, AdFind
• Credential theft: Mimikatz
• Exfiltration: BackBlaze, MEGA, Restic, Finger
• Encryption: Custom INC ransomware payload

The group typically gains initial access through compromised RDP credentials or phishing campaigns. They have been observed using LOLBins (living-off-the-land binaries) to evade detection before deploying ransomware.

Detection guidance: Security teams should monitor for execution of the above tools, particularly AdFind and Advanced IP Scanner, which are commonly used for domain enumeration. YARA rules targeting INC ransomware samples are available through public threat intelligence feeds.

Alleged Data Exposure

According to the leak site, INC ransomware claims to have accessed data from Teamsters Local 773. The specific data types are not listed, but based on the organization’s profile, potential exposure could include:

• Employee records (names, contact information, union membership details)
• Financial documents (payroll, dues collection)
• Internal communications
• Contract negotiation materials

The group has not published any data samples or provided evidence of exfiltration at this time. The lack of disclosed data volume is unusual for INC, which typically provides file counts or total size to pressure victims.

Potential Impact

If the claim is verified, the impact on Teamsters Local 773 could include:

• Operational disruption: Encrypted systems may affect union administration, member services, and financial operations.
• Reputational harm: Breach of member trust, particularly if sensitive personal data is exposed.
• Regulatory risk: Potential notification requirements under state data breach laws (Pennsylvania Breach of Personal Information Notification Act).
• Financial costs: Ransom payment demands, forensic investigation, system restoration, and legal fees.

Given the union’s small size (50 employees), the attack could severely disrupt day-to-day operations. However, the group’s track record includes multiple unsubstantiated claims, so the actual severity remains unclear.

What to Watch For

• Leak site updates: INC may publish data samples or increase pressure if payment is not made.
• Phishing campaigns: Stolen contact lists could be used for targeted phishing against union members.
• Third-party notifications: Members and partners should be alert for suspicious communications purporting to be from Teamsters Local 773.
• Ransomware deployment: The group may have left backdoors for future access.

Disclaimer

This report is based on unverified claims published by the INC ransomware group on their leak site. Yazoul Security has not independently confirmed the attack, data exfiltration, or any ransom demand. Ransomware groups frequently exaggerate or fabricate claims to pressure victims. All information should be treated as preliminary and subject to verification. No data samples, download links, or access credentials are provided in this report. Organizations should consult official sources and engage incident response professionals before taking action.