On April 22, 2026, the Incransom ransomware group publicly claimed responsibility for a cyberattack against Teamsters Local 773, a significant US union organization operating the teamster773.org domain. The threat actor has issued a public extortion demand, warning that a full data dump will be released unless the union initiates ransom negotiations within a specified timeframe. The incident, first surfaced via DeXpose threat intelligence reporting, adds Teamsters Local 773 to a growing roster of labor and civic organizations targeted by the Incransom operation.

What Happened

Incransom listed Teamsters Local 773 on its data leak site on April 22, 2026, coupled with a direct extortion statement: "The full dump will be released unless Teamsters Local 773 initiates negotiations within the given timeframe." The posting follows Incransom's standard double-extortion playbook, in which victim environments are encrypted and sensitive data is exfiltrated prior to encryption, giving the group leverage even against victims with viable backups. As of reporting, Teamsters Local 773 has not issued public confirmation of the intrusion, disclosed the scope of affected systems, or indicated whether member-facing services have been disrupted.

What Was Taken

Incransom has not yet published sample files or a full data tranche, and the precise volume of exfiltrated data remains unconfirmed. Based on the operational profile of a local union chapter, the at-risk data likely includes union member personally identifiable information (names, addresses, Social Security numbers), employment and grievance records, dues and payroll data, collective bargaining documentation, internal legal correspondence, and potentially health and benefits fund records. Data of this nature carries elevated sensitivity due to its direct utility for identity theft, targeted phishing against union members, and potential exploitation in labor-adversarial contexts.

Why It Matters

Labor unions sit at an uncomfortable intersection for ransomware operators: they hold large volumes of member PII and financial data, often run on constrained IT budgets, and face intense member pressure to restore services quickly, all of which raise the likelihood of a ransom payment. The targeting of Teamsters Local 773 reinforces a broader trend of ransomware groups deliberately hunting mid-sized civic and membership organizations rather than only Fortune 500 targets. For defenders, the incident is a reminder that threat actors increasingly treat non-corporate entities, including unions, nonprofits, and municipalities, as high-yield targets with asymmetric defensive capabilities.

The Attack Technique

Specific initial access vectors for the Teamsters Local 773 intrusion have not been publicly disclosed. Incransom, active since mid-2023, has historically relied on a mix of phishing for initial access, exploitation of internet-facing services with unpatched vulnerabilities, and the use of valid credentials sourced from infostealer logs and underground credential markets. Post-compromise, the group typically deploys Cobalt Strike or similar frameworks for lateral movement, abuses native Windows tooling for reconnaissance, and stages data to cloud storage services prior to deploying its ransomware payload. Infostealer-sourced credentials remain a persistent precursor indicator in Incransom intrusions, often predating overt ransomware activity by weeks.

What Organizations Should Do

Sources: Incransom Strikes Teamsters Local 773 in Ransomware Attack - DeXpose