INC Ransomware Emerges as a Dominant Threat, Targeting 800+ Victims Since 2023
INC ransomware has rapidly evolved into one of the most active ransomware families of 2026, compromising over 800 organizations since 2023. The group has capitalized on disruptions among competitors, expanding its affiliate network while refining its tactics, techniques, and procedures (TTPs).
Technical Sophistication & Attack Methods
INC’s toolset has undergone significant modernization, with both Windows and Linux/ESXi encryptors rewritten in Rust for cross-platform efficiency and obfuscation. Key features include:
- Hybrid cryptography using Curve25519-derived keys and AES/Salsa20 for file encryption, appending a .INC extension and a distinct footer signature.
- Operator-driven execution, with command-line arguments for granular control, threadpool scaling (CPU cores × 4), and adjustable encryption speeds (fast, medium, slow).
- Linux/ESXi-specific routines that enumerate and shut down VMs via
vim-cmd, maximizing disruption in virtualized environments.
Initial access vectors include spear-phishing, purchased credentials, and exploitation of public-facing vulnerabilities (e.g., Citrix, Fortinet CVEs, SimpleHelp RMM flaws). Lateral movement relies on native tools (RDP, PsExec), Angry IP Scanner, and commercial RMM solutions.
Double Extortion & Psychological Pressure
INC employs double extortion, exfiltrating data via 7-Zip and rclone before encryption. The group’s pressure tactics include:
- Automated network printing of ransom notes, ensuring physical visibility of demands.
- Dual-site infrastructure: a private negotiation portal and a public leak site for publishing stolen data.
- Credential dumping from Veeam backups using a modified
Veeam-Get-Creds.ps1script, targeting salted DPAPI encryption to disable recovery options.
Victimology & Sector Targeting
INC primarily targets U.S.-based organizations (65%+ of victims), with notable breaches including NHS Scotland, Xerox, and the Texas State Bar. Preferred sectors include:
- Legal services
- Manufacturing
- Technology
- Healthcare
- Construction
Ecosystem Proliferation
Following a 2024 source-code leak, INC’s techniques have spread to related ransomware families like Lynx and Sinobi, amplifying its impact across the threat landscape.
Indicators of Compromise (IOCs)
Acronis Threat Research Unit (TRU) has identified multiple Windows (PE64) and Linux (ELF64) samples, including:
- Windows hashes:
31800380c359143ae82c4f9011eee653dd22443d... - Linux hashes:
589d9480fbfec2d8e61638eb0b537183d0f99774...
The group’s evolution underscores its adaptability, combining technical refinement with aggressive extortion tactics to maximize impact.
Source: https://gbhackers.com/inc-ransomware-uses-double-extortion/
Xerox cybersecurity rating report: https://www.rankiteo.com/company/xerox
Texas A&M University cybersecurity rating report: https://www.rankiteo.com/company/texas-a&m-university
"id": "XERTEX1781864792",
"linkid": "xerox, texas-a&m-university",
"type": "Ransomware",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Healthcare',
'location': 'Scotland, UK',
'name': 'NHS Scotland',
'type': 'Healthcare'},
{'industry': 'Technology',
'location': 'U.S.',
'name': 'Xerox',
'type': 'Corporation'},
{'industry': 'Legal services',
'location': 'U.S.',
'name': 'Texas State Bar',
'type': 'Legal'},
{'customers_affected': '800+ organizations',
'industry': ['Legal services',
'Manufacturing',
'Technology',
'Healthcare',
'Construction'],
'location': 'U.S. (65%+ of victims)',
'type': 'Organization'}],
'attack_vector': ['Spear-phishing',
'Purchased credentials',
'Exploitation of public-facing vulnerabilities (e.g., '
'Citrix, Fortinet CVEs, SimpleHelp RMM flaws)'],
'data_breach': {'data_encryption': 'Yes (AES/Salsa20 with Curve25519-derived '
'keys)',
'data_exfiltration': 'Yes (via 7-Zip and rclone)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, credentials, corporate '
'data)',
'type_of_data_compromised': ['Personally identifiable '
'information',
'Credentials',
'Corporate data']},
'description': 'INC ransomware has rapidly evolved into one of the most '
'active ransomware families of 2026, compromising over 800 '
'organizations since 2023. The group has capitalized on '
'disruptions among competitors, expanding its affiliate '
'network while refining its tactics, techniques, and '
'procedures (TTPs). The group employs hybrid cryptography, '
'operator-driven execution, and double extortion tactics, '
'targeting primarily U.S.-based organizations across legal '
'services, manufacturing, technology, healthcare, and '
'construction sectors.',
'impact': {'brand_reputation_impact': 'Yes',
'data_compromised': 'Yes',
'identity_theft_risk': 'Yes (due to credential dumping and PII '
'exposure)',
'operational_impact': 'Shutdown of VMs via vim-cmd in virtualized '
'environments',
'systems_affected': ['Windows', 'Linux/ESXi']},
'initial_access_broker': {'entry_point': ['Spear-phishing',
'Purchased credentials',
'Public-facing vulnerabilities']},
'lessons_learned': 'The evolution of INC ransomware underscores the '
'adaptability of threat actors, combining technical '
'refinement with aggressive extortion tactics to maximize '
'impact. Organizations must prioritize patch management, '
'credential security, and monitoring of RMM tools to '
'mitigate such threats.',
'motivation': ['Financial gain', 'Data extortion'],
'post_incident_analysis': {'corrective_actions': ['Patch management for '
'critical vulnerabilities.',
'Restrict RDP and PsExec '
'usage.',
'Monitor and segment '
'virtualized environments.',
'Deploy behavioral WAF and '
'adaptive monitoring.',
'Secure backup systems '
'(e.g., Veeam) to prevent '
'credential dumping.'],
'root_causes': ['Exploitation of unpatched '
'vulnerabilities (Citrix, '
'Fortinet, SimpleHelp RMM).',
'Use of purchased credentials for '
'initial access.',
'Lateral movement via native tools '
'(RDP, PsExec) and RMM solutions.',
'Lack of monitoring for '
'ransomware-specific TTPs (e.g., '
'hybrid encryption, VM '
'shutdowns).']},
'ransomware': {'data_encryption': 'Yes (hybrid cryptography)',
'data_exfiltration': 'Yes (double extortion)',
'ransomware_strain': 'INC Ransomware'},
'recommendations': ['Implement patch management for public-facing '
'vulnerabilities (e.g., Citrix, Fortinet, SimpleHelp '
'RMM).',
'Enhance monitoring and segmentation of virtualized '
'environments (ESXi/Linux).',
'Restrict use of native tools like RDP and PsExec for '
'lateral movement.',
'Deploy behavioral WAF and adaptive monitoring to detect '
'ransomware activity.',
'Secure Veeam backups and DPAPI-encrypted credentials to '
'prevent credential dumping.',
'Educate employees on spear-phishing and credential '
'security.'],
'references': [{'source': 'Acronis Threat Research Unit (TRU)'}],
'threat_actor': 'INC Ransomware Group',
'title': 'INC Ransomware Emerges as a Dominant Threat, Targeting 800+ Victims '
'Since 2023',
'type': 'Ransomware',
'vulnerability_exploited': ['Citrix vulnerabilities',
'Fortinet CVEs',
'SimpleHelp RMM flaws']}