Ransomware Group: INCRANSOM

VICTIM NAME: hillsidelibrary[.]org

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the INCRANSOM Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On October 5, 2025, a leak page attributed to the ransomware group incransom lists hillsidelibrary[.]org as a victim. The entry identifies the domain as a US-based educational institution and references Hillside Public Library’s assistive technologies for patrons who are blind or visually impaired, including Kurzweil scanning software and ZoomText magnification. The leak’s accompanying metadata notes 25 employees and revenue of $5 million, but the body content contains an inconsistent industry label (Hospitality) in places, suggesting labeling inconsistencies on the page. The post asserts that a sizable data archive has been exfiltrated—approximately 11.6 GB in size—and includes 21 image attachments as evidence. A claim URL is provided, signaling an intention to monetize or publicly disclose the stolen data. The available data designate the post date as October 5, 2025; no separate compromise date is listed.

Evidence presented on the leak page comprises 21 screenshots or internal documents, depicted as image attachments. Several of the images appear to be internationalized in scope, with country-flag icons suggesting multiple jurisdictions. The page shows no direct downloadable files on the leak page itself (downloads_present is false), though the claimed data volume implies a substantial exfiltration that may exist outside the page’s immediate UI. The presence of a claim URL aligns with common data-leak/double-extortion tactics used by the incransom group. The target remains hillsidelibrary[.]org, with the group attribution clearly noted in the page metadata.

Defensive context: This leak indicates a potential data-leak scenario for a US educational institution operating as a public library. The combination of a large data volume (about 11.6 GB) and multiple image attachments raises the risk of exposure of internal documents or patron-related information. The page’s metadata also includes a revenue figure and employee count, though these figures should be treated as page metadata rather than confirmed operational details. There is no explicit compromise date beyond the post date provided, so timeline verification should be pursued through additional threat intel sources. In line with known ransomware patterns, defenders should review access controls, verify backups, monitor for suspicious data transfers, and prepare communications with stakeholders while tracking the activity of the incransom group.