Cybersecurity researchers have revealed how INC ransomware has rapidly evolved from a relatively unknown ransomware-as-a-service (RaaS) operation into one of the most prolific cybercriminal groups of 2026. Since its emergence in August 2023, the group has reportedly claimed more than 830 victims worldwide.
According to researchers at Acronis, INC significantly expanded its reach following the disruption of major ransomware groups such as LockBit and BlackCat. As affiliates sought alternative platforms, many migrated to INC, helping fuel its rapid growth.
United States Remains the Primary Target
More than 65% of INC’s known victims are based in the United States. The group’s most targeted industries include:
- Legal services
- Manufacturing
- Construction
- Technology
- Healthcare
Researchers note that these sectors are particularly vulnerable due to their reliance on uninterrupted operations and the high financial impact of downtime.
Rust-Based Ransomware Improves Cross-Platform Capabilities
INC has continued to enhance its malware toolkit by rewriting both its Windows and Linux/ESXi encryptors in Rust. The move offers several advantages, including:
- Easier cross-platform development
- Improved performance
- Greater resistance to reverse engineering
The group has also updated its credential-stealing tools, enabling attackers to target newer Veeam backup deployments that utilize salted DPAPI credential encryption.
Expansion Through Source Code Sales
In May 2024, INC reportedly began selling its Windows and Linux ransomware variants on underground cybercrime forums. This development contributed to the emergence of related ransomware families such as:
- Lynx
- Sinobi
Security researchers have identified significant code overlap between these operations, suggesting they share a common codebase.
Despite these spin-off groups, the INC brand has continued to grow and refine its ransomware ecosystem.
How INC Ransomware Attacks Work
INC affiliates use a combination of proven attack techniques and commercially available tools to compromise organizations. Recent campaigns have focused heavily on unpatched internet-facing devices and backup infrastructure.
1. Initial Access
Attackers gain access through multiple methods, including:
- Spear-phishing campaigns
- Stolen credentials purchased from Initial Access Brokers (IABs)
- Exploitation of publicly exposed vulnerabilities
Frequently targeted vulnerabilities include:
- Citrix NetScaler (CVE-2023-3519, CVE-2025-5777)
- Fortinet EMS (CVE-2023-48788)
- SimpleHelp (CVE-2024-57727)
2. Credential Theft
Once inside a network, attackers harvest sensitive credentials, often targeting backup servers and privileged accounts to maximize access.
3. Lateral Movement
INC operators leverage legitimate administrative tools and Living-off-the-Land Binaries (LOLBins), including:
- Remote Desktop Protocol (RDP)
- PsExec
These tools help attackers move across the network while blending in with normal administrative activity.
4. Defense Evasion
The group employs the Bring Your Own Vulnerable Driver (BYOVD) technique to disable or weaken security controls.
Commonly abused drivers include:
- filwfp.sys
- filnk.sys
- fildds.sys
5. Command-and-Control Deployment
Attackers frequently deploy remote management and post-exploitation tools such as:
- Cobalt Strike
- AnyDesk
- ScreenConnect
- TeamViewer
These tools provide persistent access and facilitate command-and-control operations.
6. Data Theft and Exfiltration
Before encrypting systems, attackers steal sensitive data and package it into password-protected archives. The files are then exfiltrated using Rclone, supporting the group’s double-extortion strategy.
7. Encryption and Impact
The final stage involves deploying the ransomware encryptor. INC uses several techniques to accelerate encryption, including:
- Multithreading
- Partial encryption
The malware also includes a command-line interface that allows operators to customize attacks during hands-on deployments. When executed with the “–esxi” parameter, the ransomware attempts to shut down virtual machines before encryption begins.
A Growing Threat Despite Conventional Techniques
One of the most notable aspects of INC’s success is that the group relies largely on established attack methods rather than highly sophisticated custom malware.
Researchers emphasize that ransomware operators can achieve significant scale by combining:
- Known vulnerabilities
- Credential theft
- Legitimate administrative tools
- Commercial remote management software
This approach enables attackers to continuously target organizations across multiple regions and industries.
INC Ranked Among Top Ransomware Groups in 2026
Data from ZeroFox indicates that INC ransomware ranked as the fourth most active ransomware group during the first quarter of 2026.
The top ransomware groups by reported incidents were:
- Qilin – 338 incidents
- Akira – 197 incidents
- The Gentlemen – 192 incidents
- INC – More than 120 incidents
These figures highlight INC’s growing influence within the ransomware landscape.
Final Thoughts
Acronis researchers warn that INC continues to strengthen its operations through ongoing malware development, Rust-based payload enhancements, and improvements to its attack toolkit.
The group’s focus on industries such as healthcare, legal services, manufacturing, construction, and professional services increases the likelihood of ransom payments due to the operational disruptions caused by attacks.
As these sectors often depend on complex supply chains and third-party vendors, a successful compromise can create widespread downstream impacts, exposing business partners and customers to additional risk.
