INC Ransomware Leaks 500GB of Data from Namibia Airports Company on Dark Web

Namibia Airports Company Confirms Data Leak on Dark Web Following INC Ransomware Attack

HIGH
March 28, 2026
6m read
RansomwareData BreachThreat Actor

Impact Scope

Affected Companies

Namibia Airports Company (NAC)

Industries Affected

Transportation

Geographic Impact

Namibia (national)

Related Entities

Threat Actors

INC Ransomware Group

Other

Namibia Airports Company (NAC)

MITRE ATT&CK Techniques

T1567Exfiltration

Exfiltration Over Web Service

T1074Collection

Data Staged

T1486Impact

Data Encrypted for Impact

T1041Exfiltration

Exfiltration Over C2 Channel

Full Report

Executive Summary

The Namibia Airports Company (NAC), which manages airports in Namibia, has fallen victim to a double-extortion ransomware attack by the INC Ransomware Group. The attackers successfully exfiltrated approximately 500GB of data before encrypting NAC's systems. After the company presumably refused to pay the ransom, the threat actors published the stolen data on their dark web leak site. The compromised data is believed to contain sensitive operational and financial information, including airport permit systems, project documents, and internal reports. While NAC has assured the public that airport safety and operations remain unaffected, the incident represents a significant data breach with potential long-term consequences.

Threat Overview

The attack was first detected on March 6, 2026. The INC Ransomware Group, a known cybercriminal organization, claimed responsibility. This group follows a typical ransomware-as-a-service (RaaS) model that focuses on double extortion:

  1. Data Exfiltration: Before deploying the encryption payload, the attackers silently exfiltrated a large volume of data (approx. 500GB) from NAC's network.
  2. Data Encryption: After securing the stolen data, the ransomware was activated, encrypting files and disrupting IT systems.
  3. Extortion: The group then demanded a ransom, using two points of leverage: the promise of a decryption key to restore the encrypted files, and the threat of publishing the stolen data if the ransom was not paid.

Since the data has now been leaked, it is clear that NAC did not meet the attackers' demands. This is the second attack in Namibia attributed to the INC Ransomware Group, indicating the group may be actively targeting organizations in the region.

Technical Analysis

The INC Ransomware Group's tactics are consistent with other major RaaS operations. The attack likely involved the following TTPs:

  • Initial Access: Common vectors include exploiting public-facing applications (e.g., VPNs, RDP), phishing campaigns, or leveraging stolen credentials.
  • Discovery & Collection: Once inside the network, the attackers would have spent time identifying and staging valuable data. The 500GB of exfiltrated data suggests they had significant dwell time to locate and aggregate files from various systems (T1005 - Data from Local System, T1074 - Data Staged).
  • Exfiltration: The large volume of data was likely exfiltrated over an encrypted channel to the attacker's infrastructure, possibly using legitimate cloud services to evade detection (T1567.002 - Exfiltration to Cloud Storage).
  • Impact: Finally, the ransomware payload was deployed across the network to encrypt files (T1486 - Data Encrypted for Impact).

Impact Assessment

The public release of 500GB of internal NAC data is a severe blow. The potential impact includes:

  • Operational Disruption: While core airport operations are reportedly unaffected, the loss of access to internal IT systems and the need to restore them causes significant internal disruption and cost.
  • Exposure of Sensitive Information: The leak of financial records, engineering documents, and project plans could expose confidential business strategies, security procedures, and infrastructure details that could be exploited by other malicious actors.
  • Privacy Concerns: If the airport permit system or other records contain personal information of employees or travelers, the NAC could face regulatory fines and legal challenges.
  • Reputational Damage: The breach damages public trust in NAC's ability to secure its data and infrastructure.
  • Targeting of the Region: This second attack by INC Ransomware in Namibia suggests the country and its organizations are on the radar of cybercriminal groups.

Cyber Observables for Detection

Type Value Description Context Confidence
network_traffic_pattern Sustained, high-volume outbound traffic to an unknown IP/domain The exfiltration of 500GB of data would create a significant and anomalous network event. NetFlow analysis, firewall logs, DLP systems. high
process_name rclone.exe, megacmd.exe Legitimate command-line tools for cloud storage that are frequently abused by ransomware groups for data exfiltration. EDR process monitoring with command-line auditing. medium
file_name INC-README.txt or similar The specific ransom note name used by INC Ransomware. File integrity monitoring (FIM). high

Detection & Response

  • Data Exfiltration Alerts: Organizations must have systems in place to detect large-scale data exfiltration. Data Loss Prevention (DLP) solutions and network traffic analysis tools configured with appropriate thresholds are essential. Reference D3FEND technique D3-NTA - Network Traffic Analysis.
  • Behavioral Monitoring: EDR tools can detect the precursor activities to encryption, such as credential theft (e.g., Mimikatz), disabling of security tools, and data staging.
  • Incident Response: NAC's response included immediate containment measures and the introduction of additional safeguards. They are now in the difficult position of managing the fallout from the public data leak, which requires transparency and communication with affected parties.

Mitigation

  • Egress Filtering: To prevent data exfiltration, implement strict outbound traffic filtering rules. Deny traffic by default and only allow connections to approved destinations. This could have blocked the 500GB data transfer.
  • Network Segmentation: Proper network segmentation can limit an attacker's ability to move laterally from a compromised workstation to a critical file server, containing the scope of a breach.
  • Data Encryption at Rest: While it won't stop exfiltration, encrypting sensitive data on servers can make the stolen information useless to attackers unless they also manage to steal the encryption keys.
  • Immutable Backups: Having secure, offline/immutable backups ensures that the organization can recover its systems without paying a ransom, removing one of the attacker's key leverage points.
  • Threat Intelligence: Organizations in targeted regions like Namibia should subscribe to threat intelligence feeds to stay aware of groups like INC Ransomware and their TTPs, allowing them to proactively hunt for related indicators.

Timeline of Events

1
March 6, 2026
The cyberattack against Namibia Airports Company was first detected.
2
March 28, 2026
This article was published

MITRE ATT&CK Mitigations

Filter Network Traffic

M1037

Implement strict egress filtering and network traffic analysis to detect and block large, anomalous data transfers indicative of exfiltration.

Mapped D3FEND Techniques:

D3-NI

Data Backup

M1053

Maintain offline/immutable backups to ensure system recovery is possible without paying the ransom, mitigating the encryption part of the attack.

Network Segmentation

M1030

Properly segmenting the network can prevent attackers from accessing and exfiltrating data from critical servers after an initial compromise.

Mapped D3FEND Techniques:

D3-BDID3-ETD3-ISVAD3-ITF

Antivirus/Antimalware

M1049

Use EDR solutions to detect and block the execution of ransomware payloads and associated malicious activities.

Mapped D3FEND Techniques:

D3-FCRD3-FHD3-PA

D3FEND Defensive Countermeasures

Network Traffic Analysis

D3-NTAMaps to MITREM1031
D3FEND

To combat the double-extortion tactics of groups like INC Ransomware, Network Traffic Analysis is a critical defensive layer. The exfiltration of 500GB of data from the Namibia Airports Company should have been a massive, unmissable red flag. Organizations must deploy tools like NetFlow analyzers or Network Detection and Response (NDR) platforms to establish a baseline of normal network traffic patterns. These systems should be configured to trigger high-priority alerts for significant anomalies, such as a sudden, large-volume data transfer from an internal server to an external IP address, especially if it's an unknown or newly seen destination. By monitoring the volume, direction, and timing of data flows, security teams can detect the data theft phase of the attack in progress, allowing them to intervene and block the connection before the full dataset is stolen. This directly counters the 'data leak' portion of the extortion threat.

Decoy Object

D3-DOMaps to MITREM1056
D3FEND

Deploying decoy objects, or 'honeypots,' can provide early warning of an intruder's presence during the discovery phase. For the NAC, this would involve creating fake but realistically named files and folders (e.g., '2026_Financial_Projections_CONFIDENTIAL.xlsx', 'Airport_Security_Protocols.docx') and placing them on file shares. These decoy files should be instrumented to trigger an immediate alert the moment they are accessed, modified, or copied. Since no legitimate user should ever touch these files, any interaction is a high-fidelity indicator of malicious activity. This gives the security team a crucial early warning that an attacker is inside the network and actively searching for valuable data, providing an opportunity to evict the intruder long before they can exfiltrate 500GB of real data or deploy ransomware.

Network Isolation

D3-NIMaps to MITREM1030
D3FEND

Proper network isolation and segmentation is a fundamental defense that could have limited the scope of this attack. The NAC's critical systems, such as financial databases and engineering servers, should not reside on a flat network accessible from standard user workstations. By implementing a segmented architecture, the network is divided into security zones with strict firewall rules controlling traffic between them. For example, the engineering department's workstations would be in one zone, while the server containing project documents would be in another, more secure zone. Access would be restricted to specific users and protocols. This makes it much harder for an attacker who compromises a single endpoint to move laterally across the network and gain access to the 'crown jewels.' It contains the breach and prevents the attacker from aggregating the massive volume of data that was stolen in this incident.

Sources & References

NAC data on dark web confirmed after ransomware attack
Informanté (informante.web.na) March 28, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

double extortiondark webdata leakaviationAfrica

📢 Share This Article

Help others stay informed about cybersecurity threats