The Rise of INC Ransomware: A Shift to a Major Threat
In recent years, the INC ransomware group has transitioned from its nascent stages as a Ransomware-as-a-Service (RaaS) operation to a formidable player within the cybercrime ecosystem, ranked among the most active ransomware families of 2026. With over 800 reported victims since the beginning of 2023, INC has effectively capitalized on tumult within the ransomware landscape to broaden its affiliate network, making it a significant threat to organizations globally.
Recent Campaigns and Techniques
The recent operations of INC showcase not only incremental improvements in their technical tools but also the implementation of novel pressure tactics designed to compel victims into compliance. A prominent strategy employed by the group is the “double extortion” technique. By combining the theft of sensitive data with the automated printing of ransom notes, INC ensures that its demands are not only digitally communicated but also physically manifested within organizational environments. This method serves to maximize the psychological pressure on victims, exacerbating the urgency of compliance.
Technological Advancements
From a technical standpoint, INC has modernized its toolkit considerably. The rewriting of both its Windows and Linux/ESXi encryptors in Rust signifies a strategic move towards creating cross-platform compatibility while also complicating efforts for security analysts to dissect their code. The resulting binaries are heavily obfuscated, employing sophisticated techniques such as VMProtect in select instances, while others manifest clear import tables and native API utilization.
For instance, the malware showcases advanced operational control mechanisms, allowing it to parse command-line arguments for specific functions. It creates a thread pool size proportional to the number of CPU cores (a ratio of cores multiplied by four) and offers multiple encryption modes, which include fast, medium, and slow options. Such flexibility enables the malware to maximize its impact while maintaining responsiveness to display ransom-related instructions to victims.
Security experts have noted that INC employs a hybrid cryptographic framework that includes both asymmetric and symmetric techniques. Using Curve25519-derived keys alongside AES/Salsa constructions, INC secures per-file keys effectively, signifying an advancement in how encryption is approached. The encrypted files carry a unique .INC extension followed by a distinctive footer signature that helps in tracking the ransomware’s footprint.
For its Linux/ESXi targets, INC implements X25519 Elliptic Curve Diffie-Hellman (ECDH) protocols to derive AES-CTR keys for each file. This also includes specialized routines for ESXi that facilitate the enumeration of virtual machines through common commands, allowing for the shutdown of specific instances and avoidance of irrelevant VM IDs in order to bolster the ransomware’s reach across affected infrastructures.
Victimology and Historical Impact
Globally, INC’s targeted attacks predominantly fall upon organizations in the United States, with significant breaches including entities such as NHS Scotland, Xerox, and the Texas State Bar, among others. This particular focus highlights the group’s strategic targeting of sectors where data sensitivity and operational disruption amplify the likelihood of ransom payments.
Research conducted by the Acronis Threat Research Unit illustrates a comprehensive analysis of INC ransomware, detailing its operational methodologies, attack chains, victim profiles, and evolving tactics. A crucial aspect of INC’s operational model involves adhering to well-established ransomware playbooks, utilizing initial access vectors such as spear-phishing, credential theft, and the exploitation of vulnerabilities in public-facing software, including Citrix and Fortinet.
Evasive Maneuvers
In the realm of defense evasion, INC’s tactics exhibit a sophisticated understanding of security protocols. The group deploys customized techniques for process termination and shadow copy deletion, leveraging known vulnerabilities to dismantle security defenses effectively. For command and control communications, operators implement various remote access tools like Cobalt Strike, AnyDesk, and TeamViewer, enabling hands-on interaction with compromised networks.
Moreover, the extortion process has been refined through the use of 7-Zip for data exfiltration, staging archives before transferring them to cloud storage solutions. This method serves to bypass traditional perimeter defenses and facilitate the seamless transfer of stolen data.
Conclusion
In the face of evolving threats such as INC ransomware, organizations must hone their cybersecurity protocols to shield against these technologically advanced and psychologically driven attacks. Emphasizing the reduction of external vulnerabilities, timely patching of systems, and safeguarding backup credentials can drastically limit the potential damage stemming from ransomware incidents. The integration of proactive monitoring for unusual activity, particularly concerning credential dumping and unauthorized print jobs, will remain vital in the fight against this escalating threat. Rapid identification of breaches, particularly with regards to Veeam credential access, will likewise contribute to mitigating the cumulative effects of encryption and double extortion tactics.
As ransomware threats continue to evolve, vigilance and adaptive strategies are paramount for entities striving to navigate the complex landscape of cybersecurity defenses.