Dorotea Sweden Ransomware Attack by INC Ransom (Apr 2026)

Claim Summary

On April 24, 2026, the ransomware group INC Ransom posted a claim on its leak site alleging a successful attack against Dorotea Kommun, a local government entity in southern Lapland, Sweden. The group claims that despite warnings, the municipality’s administration “decided to turn a blind eye to the fate of everyone whose data will be published.” According to the threat actor, Dorotea has 24 hours to comply with their demands, or the stolen data will be used “in all sorts of ways,” potentially affecting “hundreds of people.”

The leak site entry includes a description of Dorotea Kommun as a provider of education, childcare, elder care, and community support services. Notably, the post also references a ZoomInfo profile for “Vilhelmina Kommun,” a neighboring municipality, including its revenue ($31.7 million) and employee count (501-1,000). This suggests the threat actor may have aggregated data from multiple sources or confused the two entities. The volume of allegedly stolen data is undisclosed.

This claim has NOT been independently verified by Yazoul Security.

Threat Actor Profile

INC Ransom is a financially motivated ransomware group first observed in mid-2024. According to available research, the group has claimed 725 victims to date, though this number likely includes both confirmed and unverified claims. The group is known for a double-extortion model: encrypting victim systems and exfiltrating sensitive data, then threatening to publish it unless a ransom is paid.

Known tools and tactics associated with INC Ransom include:

• Initial Access: Likely via phishing, RDP compromise, or exploitation of public-facing applications.
• Lateral Movement: Use of Mimikatz for credential theft, AdFind for Active Directory reconnaissance, and Advanced IP Scanner/SoftPerfect NetScan for network mapping.
• Exfiltration: BackBlaze, MEGA, and Restic for data exfiltration to cloud storage.
• Persistence: Use of Finger for remote command execution.

The group has been tracked by multiple cybersecurity firms, including GuidePoint Security, Huntress, and Secureworks (which tracks them as GOLD IONIC). Their operational tempo suggests a focus on mid-sized organizations in critical infrastructure and government sectors.

Alleged Data Exposure

The claim does not specify the exact types of data stolen. However, given Dorotea Kommun’s role as a local government entity, potential data exposure could include:

• Personally identifiable information (PII) of residents, such as names, addresses, and personal identification numbers.
• Employee records, including payroll and HR data.
• Internal communications and administrative documents.
• Records related to education, childcare, and elder care services.

The inclusion of Vilhelmina Kommun’s ZoomInfo data in the leak post raises concerns about data aggregation or potential confusion between municipalities. It is unclear if the threat actor has accurately identified their victim.

Potential Impact

If the claim is verified, the impact on Dorotea Kommun and its residents could be significant:

• Resident Privacy: Leaked PII could lead to identity theft, fraud, or social engineering attacks against local residents.
• Operational Disruption: The municipality may face service interruptions, particularly in critical areas like elder care and education.
• Reputational Damage: Public trust in the municipality’s ability to safeguard data could be eroded.
• Regulatory Consequences: As a Swedish public entity, Dorotea Kommun may be subject to GDPR fines and mandatory breach notifications.

The 24-hour deadline suggests the group is applying pressure for a quick payout, a tactic commonly used to force hasty decisions.

What to Watch For

• Official Confirmation: Monitor Dorotea Kommun’s official website (www.vilhelmina.se) and Swedish government channels for any acknowledgment of a cybersecurity incident.
• Data Leak: If the deadline expires, INC Ransom may publish samples of the alleged data on their leak site. Yazoul Security will monitor for any such publication.
• Resident Guidance: Affected individuals should be alert for phishing attempts, unsolicited communications, or suspicious activity involving their personal information.
• Detection Guidance: Organizations using YARA rules should review the Huntress and Secureworks research for INC Ransom-specific signatures. Indicators of compromise (IOCs) may include network traffic to known MEGA or BackBlaze endpoints, or the presence of Mimikatz and AdFind binaries.

Disclaimer

This report is based on an unverified claim posted by the INC Ransom group on their leak site. Yazoul Security has not independently confirmed the attack, the data exfiltration, or the identity of the victim. Ransomware groups routinely exaggerate or fabricate claims to pressure victims. All information should be treated as preliminary and subject to change upon verification. No PII, download links, or access credentials have been included in this report. Organizations are advised to follow official guidance from Swedish authorities and cybersecurity partners.