diff --git a/modules/signatures/windows/ransomware_fileextensions.py b/modules/signatures/windows/ransomware_fileextensions.py
index 7698b056..764b0919 100644
--- a/modules/signatures/windows/ransomware_fileextensions.py
+++ b/modules/signatures/windows/ransomware_fileextensions.py
@@ -134,6 +134,7 @@ def run(self):
             (".*\.phoenix$", ["PhoenixCryptoLocker"]),
             (".*\.blackbyte$", ["BlackByte"]),
             (".*\.basta$", ["BlackBasta"]),
+            (".*\.inc$", ["INC"]),
         ]
 
         for indicator in indicators: