[INCRANSOM] – Ransomware Victim: Evolve Mortgage Services
NOTE: No files or stolen information are exfiltrated, downloaded, taken, hosted, seen, reposted, or disclosed by RedPacket Security. Any legal issues relating to the content should be directed at the attackers, not RedPacket Security. This blog is an editorial notice informing that a company has fallen victim to a ransomware attack. RedPacket Security is not affiliated with any ransomware threat actors or groups and will not host infringing content. The information on this page is automated and redacted whilst being scraped directly from the INCRANSOM Onion Dark Web Tor Blog page.
AI Generated Summary of the Ransomware Leak Page
On October 30, 2025, a leak page attributed to the incransom ransomware operation identifies Evolve Mortgage Services as the victim. The post frames the incident as a data breach and exfiltration rather than an encryption event, stating that attackers claim to have stolen more than 20 terabytes of the company’s data, including about 2 terabytes of databases. The attackers allege that Evolve Mortgage Services refused to engage with them to address concerns about customer data security and accuse the company of disregarding customer safety and the disclosure of information. The message asserts that the attackers now possess data on all clients dating back to 2016, including sensitive PII such as Social Security numbers, scans of client IDs, home and work addresses, phone numbers, and full credit histories for thousands of US citizens. The leak page notes that a claim URL is available for further action or negotiation, though no URL is provided in this summary. There is no explicit indication of data encryption on the page; the event is described in terms of data exfiltration and potential data leakage rather than ransomware-encrypted files.
From a threat intelligence perspective, the post centers on Evolve Mortgage Services and is associated with the incransom group. The page indicates a claim URL is present, but the actual link is not shown here. Notably, the leak page contains no images or screenshots, suggesting a text-only presentation with no included document previews. The data scope described includes client information dating back to 2016 and PII such as SSNs, ID scans, addresses, phone numbers, and full credit histories for thousands of US citizens, with explicit redaction of specifics in this summary. The post date remains visible as October 30, 2025, and no separate compromise date is provided, so the published date serves as the post date. No ransom amount is stated in the provided materials. This event underscores the ongoing risk to the US financial services sector from ransomware operators employing data-leak extortion approaches, with significant potential regulatory and reputational implications for the victim and its clients.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
