INC Ransomware: A Rapidly Evolving Threat Targeting Global Organizations
Since its emergence in mid-2023, the INC ransomware group has established itself as a formidable Ransomware-as-a-Service (RaaS) operation, claiming over 800 victims worldwide. The group employs aggressive double-extortion tactics, targeting high-profile organizations primarily in the U.S., with a focus on the legal, manufacturing, technology, and healthcare sectors.
INC’s attack methods are both diverse and sophisticated. Initial access is often gained through spear-phishing, compromised credentials from access brokers, or exploitation of known vulnerabilities in public-facing systems, including Citrix NetScaler (CVE-2023-3519), Fortinet EMS (CVE-2023-48788), and Citrix Bleed 2 (CVE-2025-5777). Once inside, attackers use command-line tools and IP scanners to map the network before deploying a customized PowerShell script that extracts credentials from Veeam backup servers via salted DPAPI decryption.
The group’s ransomware payloads, rewritten in Rust, enable cross-platform attacks on both Windows and Linux/ESXi environments. On Windows, the malware employs multithreading and partial encryption to accelerate data destruction while avoiding critical system files ensuring victims can still view ransom notes on desktops and network printers. On Linux and VMware ESXi servers, the payload shuts down virtual machines before encrypting them, maximizing disruption.
INC’s encryption scheme combines Curve25519 Elliptic Curve Cryptography and AES-128, making recovery without the decryption key nearly impossible. The group operates a dual-site extortion model, using a private portal for negotiations and a public leak site to pressure non-compliant victims. Their rapid evolution and technical sophistication underscore the growing threat posed by modern ransomware operations.
Source: https://cyberpress.org/inc-ransomware-exfiltrates-data/
Veeam Software cybersecurity rating report: https://www.rankiteo.com/company/veeam-software
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
Citrix cybersecurity rating report: https://www.rankiteo.com/company/citrix
"id": "VEEFORCIT1781857680",
"linkid": "veeam-software, fortinet, citrix",
"type": "Vulnerability",
"date": "7/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Legal',
'Manufacturing',
'Technology',
'Healthcare'],
'location': 'Primarily U.S.',
'type': ['Legal',
'Manufacturing',
'Technology',
'Healthcare']}],
'attack_vector': ['Spear-phishing',
'Compromised credentials',
'Exploitation of vulnerabilities'],
'data_breach': {'data_encryption': 'Yes (Curve25519 ECC and AES-128)',
'data_exfiltration': 'Yes (double-extortion tactic)',
'sensitivity_of_data': 'High (credentials, PII potential)',
'type_of_data_compromised': ['Credentials',
'Backup data',
'Virtual machine data',
'Sensitive files']},
'description': 'Since its emergence in mid-2023, the INC ransomware group has '
'established itself as a formidable Ransomware-as-a-Service '
'(RaaS) operation, claiming over 800 victims worldwide. The '
'group employs aggressive double-extortion tactics, targeting '
'high-profile organizations primarily in the U.S., with a '
'focus on the legal, manufacturing, technology, and healthcare '
'sectors. Their attack methods include spear-phishing, '
'compromised credentials, and exploitation of known '
'vulnerabilities. The ransomware payloads are rewritten in '
'Rust for cross-platform attacks on Windows and Linux/ESXi '
'environments, using advanced encryption schemes like '
'Curve25519 ECC and AES-128.',
'impact': {'brand_reputation_impact': 'High (due to public leak site and '
'double-extortion tactics)',
'data_compromised': 'Credentials, backup data, virtual machines, '
'and sensitive files',
'identity_theft_risk': 'High (if personally identifiable '
'information was compromised)',
'operational_impact': 'Shutdown of virtual machines, encryption of '
'critical data, disruption of services',
'systems_affected': ['Windows', 'Linux/ESXi environments']},
'initial_access_broker': {'entry_point': ['Spear-phishing',
'Compromised credentials',
'Exploitation of vulnerabilities']},
'motivation': 'Financial gain (Ransomware-as-a-Service)',
'post_incident_analysis': {'root_causes': ['Exploitation of known '
'vulnerabilities',
'Compromised credentials',
'Spear-phishing']},
'ransomware': {'data_encryption': 'Yes (Curve25519 ECC and AES-128)',
'data_exfiltration': 'Yes (double-extortion tactic)',
'ransomware_strain': 'INC Ransomware'},
'references': [{'source': 'Cyber Incident Description'}],
'threat_actor': 'INC Ransomware Group',
'title': 'INC Ransomware Attack',
'type': 'Ransomware',
'vulnerability_exploited': ['CVE-2023-3519 (Citrix NetScaler)',
'CVE-2023-48788 (Fortinet EMS)',
'CVE-2025-5777 (Citrix Bleed 2)']}