Aerodiagnostics Ransomware Claim by INC Ransom (May 2026)

Claim Summary

On May 6, 2026, the ransomware group known as INC Ransom allegedly added Aerodiagnostics, LLC to their leak site. Aerodiagnostics is a Massachusetts-based laboratory specializing in advanced diagnostic testing for gastrointestinal disorders, including Small Intestinal Bacterial Overgrowth (SIBO), fructose malabsorption, sucrose intolerance, and lactose intolerance. According to the threat actor’s post, they claim to have exfiltrated 50GB of data from the organization. The group asserts that the stolen data includes confidential documents, client data, NDAs, financial data, operations information, corporate data, business agreements, and financial databases containing all transactions and client records. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

INC Ransom is a ransomware group that has been active since at least mid-2023. While their total number of known victims is currently unknown, they have demonstrated operational capability through their use of a range of publicly available and custom tools. Based on open-source intelligence, the group’s known toolkit includes:

• Mimikatz: For credential dumping.
• AdFind: For Active Directory reconnaissance.
• Advanced IP Scanner and SoftPerfect NetScan: For network discovery.
• 7-Zip: For data compression prior to exfiltration.
• BackBlaze and MEGA: For data exfiltration.
• Finger: A utility for querying user information on remote systems.

The group typically employs a double-extortion model: encrypting systems while exfiltrating sensitive data to pressure victims into paying a ransom. Their targeting of the healthcare sector, as seen in this claim, is consistent with their operational pattern, as healthcare organizations often hold time-sensitive and highly sensitive data. However, without public research or a confirmed victim list, their overall credibility remains unverified. Ransomware groups frequently exaggerate the scale and sensitivity of stolen data to increase pressure on victims.

Alleged Data Exposure

According to the leak site post, the alleged data exposure includes:

• Confidential documents: Potentially including proprietary testing methodologies and internal protocols.
• Client Data: Likely includes patient names, contact information, and medical history related to gastrointestinal diagnostic testing.
• NDAs: Non-disclosure agreements with business partners, employees, or clients.
• Financial data: Including financial databases, all transactions, and all client billing records.
• Operations and Corporate data: Internal operational procedures, business agreements, and development information.

The claimed 50GB data volume suggests a significant breach, though the actual content and sensitivity cannot be confirmed. The inclusion of “all clients” in the financial databases is particularly concerning, as it could expose a large number of patients and business partners to identity theft or fraud.

Potential Impact

If the claim is verified, the potential impact on Aerodiagnostics could be severe:

• Regulatory Consequences: As a healthcare laboratory, Aerodiagnostics is likely subject to HIPAA regulations. A data breach involving patient health information could result in significant fines, legal action, and mandatory breach notifications to affected individuals and regulators.
• Operational Disruption: Ransomware attacks often lead to system downtime, which could delay diagnostic testing and patient care. The laboratory’s ability to process tests and deliver results may be compromised.
• Reputational Damage: Trust is critical in healthcare. A breach of patient data could erode confidence among referring physicians and patients, potentially leading to loss of business.
• Financial Loss: Beyond ransom demands, costs may include forensic investigation, system restoration, legal fees, and potential lawsuits.

What to Watch For

• Official Confirmation: Monitor Aerodiagnostics’ official website (aerodiagnostics.com) and any public statements for confirmation of a security incident.
• Data Leak: If the group follows through, the alleged data may be posted publicly. Yazoul Security will monitor for any confirmed leaks.
• Regulatory Filings: Check for HIPAA breach notifications or filings with state attorneys general.
• YARA Rules: Currently, no public YARA rules are available for INC Ransom. However, Yazoul Security recommends monitoring for indicators of compromise (IOCs) related to the group’s known tools (e.g., Mimikatz, AdFind) and network traffic to known exfiltration endpoints (BackBlaze, MEGA).

Disclaimer

This report is based solely on unverified claims made by the INC Ransom ransomware group on their leak site. Yazoul Security has not independently verified the authenticity of the data, the scope of the breach, or the identity of the victim. Ransomware groups are known to exaggerate or fabricate claims to pressure victims into payment. This information is provided for intelligence purposes only and should not be considered confirmed fact. Organizations are advised to conduct their own due diligence and refer to official sources for verified information.