MTCI Ransomware Attack by INC Ransom (April 2026)

Claim Summary

On April 26, 2026, the ransomware group INC Ransom (incransom) allegedly added MTCI, a US-based telecommunications and IT consulting firm, to its leak site. The group claims to have exfiltrated 320 GB of data from the company. According to the threat actor, the stolen data includes company projects (with drawings, air bridges, Wi-Fi bank designs), employee personal information, insurance records, medical secrets, corporate guidance documents, financial data, and employee video surveillance files. MTCI is described as a vendor-agnostic consultant specializing in VoIP, structured cabling, network protection, and cloud services, headquartered in Cincinnati, Ohio. The attack is purportedly dated April 26, 2026. This information is unverified and should be treated with caution.

Threat Actor Profile

INC Ransom is an active ransomware group that has allegedly claimed 725 victims to date. The group is known for a double-extortion model: encrypting systems and threatening to leak stolen data unless a ransom is paid. Their toolset, as documented by cybersecurity researchers, includes:

• Credential theft: Mimikatz
• Network enumeration: AdFind, Advanced IP Scanner, SoftPerfect NetScan
• Data exfiltration: BackBlaze, MEGA, Restic, Finger

The group has been tracked by multiple research firms (GuidePoint Security, Huntress, Secureworks), indicating a consistent operational pattern. Their credibility is moderate to high based on their track record, though ransomware groups frequently exaggerate data volume and sensitivity to pressure victims. The 320 GB claim is plausible but unconfirmed.

Alleged Data Exposure

INC Ransom claims to have accessed and exfiltrated the following categories of data from MTCI:

• Company projects: Including special projects with device drawings, air bridges, and Wi-Fi bank designs.
• Employee data: Personal information, insurance records, and medical secrets.
• Corporate information: Guidance documents and correspondence with counterparties.
• Financial records: Unspecified financial data.
• Video surveillance files: Employee video footage.

The group has not published samples or download links at this time. The data volume of 320 GB, if accurate, suggests a significant breach of operational and sensitive data.

Potential Impact

If the claim is substantiated, MTCI could face:

• Operational disruption: Leaked project designs and drawings could compromise client confidentiality and competitive advantage.
• Regulatory exposure: Employee PII, insurance, and medical data may trigger notification requirements under US state privacy laws (e.g., CCPA, HIPAA if applicable).
• Reputational damage: As a Small Business of the Year awardee, public disclosure of sensitive data could erode client trust.
• Financial liability: Potential for litigation, regulatory fines, and costs associated with incident response and credit monitoring.

What to Watch For

• Leak site updates: Monitor for publication of data samples or full archives, which would confirm the breach.
• Dark web chatter: Look for discussions of MTCI data being traded or sold.
• Official disclosure: MTCI may issue a statement or file a data breach notification with regulators.
• Detection guidance: INC Ransom’s use of tools like Mimikatz and AdFind suggests defenders should audit for lateral movement and credential dumping. YARA rules for INC Ransom payloads may be available from threat intelligence feeds (e.g., VirusTotal, GitHub). Huntress and Secureworks blogs provide detection recommendations for LOLBins and Gold IONIC tactics.

Disclaimer

This report is based on unverified claims made by the ransomware group INC Ransom on their leak site. Yazoul Security has not independently confirmed the attack, the data volume, or the authenticity of the alleged stolen information. Ransomware groups frequently exaggerate or fabricate claims to pressure victims. Organizations should treat this information as intelligence leads only and verify through official channels. No PII, download links, or access credentials are provided in this report.