The INC Ransom ransomware group has listed Rheem Manufacturing Company on its dark web leak site, claiming exfiltration of approximately 320 GB of corporate data spanning 479,856 files across 76,897 folders. The listing, surfaced by RedPacket Security on April 20, 2026, identifies the Atlanta-based heating, cooling, and water heating manufacturer as the latest industrial target of the prolific extortion crew. The claim carries a caveat: recent reporting has flagged INC Ransom listings as sometimes including unverified or fabricated victim entries, so the incident should be treated as unconfirmed pending independent corroboration.

What Happened

According to the leak page scraped from INC Ransom's Tor-hosted blog, the threat actor posted Rheem Manufacturing as a named victim with a bulk data sample claim. Rheem, headquartered in Atlanta, Georgia, is one of the largest HVAC and water heating manufacturers in North America, with operations and distribution spanning residential, commercial, and industrial product lines. The leak entry asserts that attackers accessed and exfiltrated a substantial cross-section of the company's internal file systems, amounting to roughly 320 GB compressed across nearly half a million files.

RedPacket Security, which aggregates and redacts ransomware leak site posts for threat intelligence purposes, defanged the victim's public-facing site reference and has not hosted or disclosed the stolen data itself. At the time of publication, Rheem had not issued a public statement confirming or denying the intrusion, and no regulatory filings corresponding to this event have been observed.

What Was Taken

INC Ransom's listing describes a broad cross-section of internal corporate data. The stated content categories include:

The 479,856-file count and 76,897-folder structure suggest the actor accessed a file share, SharePoint environment, or similarly structured document repository rather than a narrowly scoped system. The breadth is consistent with INC Ransom's typical post-intrusion pattern of mass staging and exfiltration from network file stores before encryption or extortion deployment.

Why It Matters

A breach of this scope at a major HVAC manufacturer carries consequences well beyond the victim. Technical drawings and test reports constitute commercially sensitive intellectual property whose exposure can erode competitive position and aid counterfeiting operations. NDAs and contracts contain third-party obligations, meaning Rheem's counterparties face secondary exposure to leaked confidential terms, pricing, and supply chain relationships.

Manufacturing continues to rank among the most-targeted verticals for ransomware operators because of its low tolerance for operational downtime and reliance on legacy systems integrated with modern IT. INC Ransom has built a track record against healthcare, government, and industrial targets since 2023, and a named listing of a high-profile HVAC manufacturer reinforces that critical suppliers to residential and commercial building stock remain squarely in scope. Defenders at peer manufacturers, distributors, and building-products firms should treat this listing as a prompt to validate their own detection and segmentation posture.

The unverified-listing caveat matters as well: recent industry reporting has identified cases where INC Ransom postings included fabricated or recycled victim claims. That does not clear Rheem; it simply means confirmation requires independent evidence such as victim disclosure, sample data review, or regulatory filings.

The Attack Technique

INC Ransom has not published an initial access vector for the Rheem listing, and public telemetry on the intrusion is not yet available. The group's historical tradecraft, observed across prior victims, has included:

The scale of files reportedly taken from Rheem is consistent with prolonged dwell time inside a file server or cloud collaboration environment, and with automated crawling of mounted shares rather than a targeted snatch of specific documents.

What Organizations Should Do

Manufacturers, industrial suppliers, and any organization with commercial ties to Rheem should take the following steps:

  1. Audit exposure to Rheem counterparty data. If your organization has NDAs, supply contracts, or joint engineering work with Rheem, review what shared documentation could be implicated and prepare counterparty notification procedures.
  2. Harden external-facing attack surface. Validate patch status on VPN concentrators, firewalls, and remote access appliances, and confirm MFA is enforced on every remote access path, including legacy and service accounts.
  3. Hunt for INC Ransom indicators. Look for anomalous use of rclone, MEGAcmd, WinSCP, and AnyDesk; unusual archive creation on file servers; and outbound transfers to cloud storage endpoints from non-standard hosts.
  4. Reduce blast radius on file shares. Enforce least privilege on SharePoint, DFS, and SMB shares; tier access to engineering drawings and HR data; and enable honey files or canary accounts to detect mass enumeration.
  5. Validate offline, immutable backups. Confirm that backups are segmented from production identity and cannot be deleted or encrypted from a compromised domain account. Test restoration of engineering and HR repositories specifically.
  6. Monitor dark web and paste sites. Track whether INC Ransom progresses from listing to sample publication to full leak, and assess whether any released samples match internal corporate data to confirm the incident's authenticity.

Sources: [INCRANSOM] - Ransomware Victim: rheem - RedPacket Security