Ransomware Group: INCRANSOM

VICTIM NAME: ocmaine[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the INCRANSOM Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page associated with the domain ocmaine[.]com was published on October 5, 2025 by the threat group incransom. The victim is identified by the ocmaine[.]com domain and is described as a United States-based construction services organization in the Commercial & Residential Construction sector. According to the page metadata, the entity has about 25 employees and reported revenue of approximately $5.3 million; a publicly visible phone number is shown in the description but is redacted in the provided data. The post presents the event as a data breach with a substantial data footprint. The total data size cited is 16,100,899,057 bytes (roughly 15 GB), indicating a sizable exfiltration. A claim URL is present on the page, suggesting the attackers are offering some form of access or negotiations related to the stolen data. The leak page also includes 21 image attachments, described broadly as screenshots or related content, and a body excerpt that centers on ocmaine[.]com. There is no indication of a downloadable package being offered directly on the page based on the available metadata.

The page’s media attachments appear to include internal-document-style images alongside country-flag icons, implying geographic coverage of operations. The dataset indicates no direct downloads, while the presence of a claim URL aligns with ransomware leak behavior that aims to pressure the victim or monetize exfiltrated data. Notably, while the post provides business-scale context—industry, employee count, and revenue—the contact phone is redacted, aligning with PII protections in the shared extract. No explicit ransom amount or encryption status is stated within the supplied fields. The post date is October 5, 2025, and no separate compromise date is provided in the available data; the entry is thus described as the post date for the leak page. The victim name ocmaine[.]com remains the focal identifier to preserve context without naming any additional entities mentioned in the surrounding content.