Xerox and Texas State Bar: INC Ransomware Uses Double Extortion and Printer Ransom Notes to Pressure Victims

Xerox and Texas State Bar: INC Ransomware Uses Double Extortion and Printer Ransom Notes to Pressure Victims

INC Ransomware Emerges as a Dominant Threat, Targeting 800+ Victims Since 2023

INC ransomware has rapidly evolved into one of the most active ransomware families of 2026, compromising over 800 organizations since 2023. The group has capitalized on disruptions among competitors, expanding its affiliate network while refining its tactics, techniques, and procedures (TTPs).

Technical Sophistication & Attack Methods

INC’s toolset has undergone significant modernization, with both Windows and Linux/ESXi encryptors rewritten in Rust for cross-platform efficiency and obfuscation. Key features include:

  • Hybrid cryptography using Curve25519-derived keys and AES/Salsa20 for file encryption, appending a .INC extension and a distinct footer signature.
  • Operator-driven execution, with command-line arguments for granular control, threadpool scaling (CPU cores × 4), and adjustable encryption speeds (fast, medium, slow).
  • Linux/ESXi-specific routines that enumerate and shut down VMs via vim-cmd, maximizing disruption in virtualized environments.

Initial access vectors include spear-phishing, purchased credentials, and exploitation of public-facing vulnerabilities (e.g., Citrix, Fortinet CVEs, SimpleHelp RMM flaws). Lateral movement relies on native tools (RDP, PsExec), Angry IP Scanner, and commercial RMM solutions.

Double Extortion & Psychological Pressure

INC employs double extortion, exfiltrating data via 7-Zip and rclone before encryption. The group’s pressure tactics include:

  • Automated network printing of ransom notes, ensuring physical visibility of demands.
  • Dual-site infrastructure: a private negotiation portal and a public leak site for publishing stolen data.
  • Credential dumping from Veeam backups using a modified Veeam-Get-Creds.ps1 script, targeting salted DPAPI encryption to disable recovery options.

Victimology & Sector Targeting

INC primarily targets U.S.-based organizations (65%+ of victims), with notable breaches including NHS Scotland, Xerox, and the Texas State Bar. Preferred sectors include:

  • Legal services
  • Manufacturing
  • Technology
  • Healthcare
  • Construction

Ecosystem Proliferation

Following a 2024 source-code leak, INC’s techniques have spread to related ransomware families like Lynx and Sinobi, amplifying its impact across the threat landscape.

Indicators of Compromise (IOCs)

Acronis Threat Research Unit (TRU) has identified multiple Windows (PE64) and Linux (ELF64) samples, including:

  • Windows hashes: 31800380c359143ae82c4f9011eee653dd22443d...
  • Linux hashes: 589d9480fbfec2d8e61638eb0b537183d0f99774...

The group’s evolution underscores its adaptability, combining technical refinement with aggressive extortion tactics to maximize impact.

Source: https://gbhackers.com/inc-ransomware-uses-double-extortion/

Xerox cybersecurity rating report: https://www.rankiteo.com/company/xerox

Texas A&M University cybersecurity rating report: https://www.rankiteo.com/company/texas-a&m-university

"id": "XERTEX1781864792",
"linkid": "xerox, texas-a&m-university",
"type": "Ransomware",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Healthcare',
                        'location': 'Scotland, UK',
                        'name': 'NHS Scotland',
                        'type': 'Healthcare'},
                       {'industry': 'Technology',
                        'location': 'U.S.',
                        'name': 'Xerox',
                        'type': 'Corporation'},
                       {'industry': 'Legal services',
                        'location': 'U.S.',
                        'name': 'Texas State Bar',
                        'type': 'Legal'},
                       {'customers_affected': '800+ organizations',
                        'industry': ['Legal services',
                                     'Manufacturing',
                                     'Technology',
                                     'Healthcare',
                                     'Construction'],
                        'location': 'U.S. (65%+ of victims)',
                        'type': 'Organization'}],
 'attack_vector': ['Spear-phishing',
                   'Purchased credentials',
                   'Exploitation of public-facing vulnerabilities (e.g., '
                   'Citrix, Fortinet CVEs, SimpleHelp RMM flaws)'],
 'data_breach': {'data_encryption': 'Yes (AES/Salsa20 with Curve25519-derived '
                                    'keys)',
                 'data_exfiltration': 'Yes (via 7-Zip and rclone)',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High (PII, credentials, corporate '
                                        'data)',
                 'type_of_data_compromised': ['Personally identifiable '
                                              'information',
                                              'Credentials',
                                              'Corporate data']},
 'description': 'INC ransomware has rapidly evolved into one of the most '
                'active ransomware families of 2026, compromising over 800 '
                'organizations since 2023. The group has capitalized on '
                'disruptions among competitors, expanding its affiliate '
                'network while refining its tactics, techniques, and '
                'procedures (TTPs). The group employs hybrid cryptography, '
                'operator-driven execution, and double extortion tactics, '
                'targeting primarily U.S.-based organizations across legal '
                'services, manufacturing, technology, healthcare, and '
                'construction sectors.',
 'impact': {'brand_reputation_impact': 'Yes',
            'data_compromised': 'Yes',
            'identity_theft_risk': 'Yes (due to credential dumping and PII '
                                   'exposure)',
            'operational_impact': 'Shutdown of VMs via vim-cmd in virtualized '
                                  'environments',
            'systems_affected': ['Windows', 'Linux/ESXi']},
 'initial_access_broker': {'entry_point': ['Spear-phishing',
                                           'Purchased credentials',
                                           'Public-facing vulnerabilities']},
 'lessons_learned': 'The evolution of INC ransomware underscores the '
                    'adaptability of threat actors, combining technical '
                    'refinement with aggressive extortion tactics to maximize '
                    'impact. Organizations must prioritize patch management, '
                    'credential security, and monitoring of RMM tools to '
                    'mitigate such threats.',
 'motivation': ['Financial gain', 'Data extortion'],
 'post_incident_analysis': {'corrective_actions': ['Patch management for '
                                                   'critical vulnerabilities.',
                                                   'Restrict RDP and PsExec '
                                                   'usage.',
                                                   'Monitor and segment '
                                                   'virtualized environments.',
                                                   'Deploy behavioral WAF and '
                                                   'adaptive monitoring.',
                                                   'Secure backup systems '
                                                   '(e.g., Veeam) to prevent '
                                                   'credential dumping.'],
                            'root_causes': ['Exploitation of unpatched '
                                            'vulnerabilities (Citrix, '
                                            'Fortinet, SimpleHelp RMM).',
                                            'Use of purchased credentials for '
                                            'initial access.',
                                            'Lateral movement via native tools '
                                            '(RDP, PsExec) and RMM solutions.',
                                            'Lack of monitoring for '
                                            'ransomware-specific TTPs (e.g., '
                                            'hybrid encryption, VM '
                                            'shutdowns).']},
 'ransomware': {'data_encryption': 'Yes (hybrid cryptography)',
                'data_exfiltration': 'Yes (double extortion)',
                'ransomware_strain': 'INC Ransomware'},
 'recommendations': ['Implement patch management for public-facing '
                     'vulnerabilities (e.g., Citrix, Fortinet, SimpleHelp '
                     'RMM).',
                     'Enhance monitoring and segmentation of virtualized '
                     'environments (ESXi/Linux).',
                     'Restrict use of native tools like RDP and PsExec for '
                     'lateral movement.',
                     'Deploy behavioral WAF and adaptive monitoring to detect '
                     'ransomware activity.',
                     'Secure Veeam backups and DPAPI-encrypted credentials to '
                     'prevent credential dumping.',
                     'Educate employees on spear-phishing and credential '
                     'security.'],
 'references': [{'source': 'Acronis Threat Research Unit (TRU)'}],
 'threat_actor': 'INC Ransomware Group',
 'title': 'INC Ransomware Emerges as a Dominant Threat, Targeting 800+ Victims '
          'Since 2023',
 'type': 'Ransomware',
 'vulnerability_exploited': ['Citrix vulnerabilities',
                             'Fortinet CVEs',
                             'SimpleHelp RMM flaws']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.