INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Inc Ransomware Emerges as Major Threat in 2026

| 2026-06-18 14:12 CRITICAL HIGH
JSON
Executive Summary AI-generated
The threat landscape is shifting rapidly, with ransomware-as-a-service (RaaS) groups like INC continuing to evolve and expand their operations. Their ability to target various sectors, including healthcare, legal services, technology, and construction, has made them a major concern for organizations worldwide. Inc's diversification of tools and techniques, such as the use of living-off-the-land binaries and credential dumpers, has enabled it to adapt quickly to changing security landscapes. As researchers like Darrel Virtusio at Acronis have noted, INC's success lies in its ability to leverage widely known techniques without requiring advanced tradecraft or bespoke tooling, making them a formidable force in the cybercrime world.
Technical Mitigations AI-generated
* Implement regular security updates and patches for Windows and Linux systems to prevent exploitation of known vulnerabilities. * Use a reputable antivirus software and keep it up-to-date to detect and block ransomware attacks. * Conduct thorough vulnerability scanning on networks and devices before allowing remote access or use of sensitive data. * Educate users about phishing scams, spear-phishing, and other social engineering tactics used by ransomware attackers. * Implement multi-factor authentication (MFA) whenever possible to prevent unauthorized access to systems and data.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
RansomHubRansomHubQilinQilinINC RansomwareINC RansomwareBlackCatBlackCatALPHVALPHVCobalt StrikeCobalt Strike CVE-2025-5777CVE-2025-5777 CVE-2023-48788CVE-2023-48788 CVE-2024-57727CVE-2024-57727 CVE-2023-3519CVE-2023-3519
Target & Sectors
NORTH_AMERICA NORTH_AMERICA manufacturingmanufacturing healthhealth legallegal technologytechnology healthcarehealthcare mediamedia
Incident Timeline
‎August 2023
Inc's ransomware-as-a-service operation has evolved into a major threat with 830+ victims since August 2023.
tactic Ransomware
 Ravie Lakshmanan  Jun 18, 2026 Vulnerability / Enterprise Security Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023.
victims 830 Victims
 Ravie Lakshmanan  Jun 18, 2026 Vulnerability / Enterprise Security Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023.
organisation Vulnerability / Enterprise Security
 Ravie Lakshmanan  Jun 18, 2026 Vulnerability / Enterprise Security Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023.
general_metric 18  Jun
 Ravie Lakshmanan  Jun 18, 2026 Vulnerability / Enterprise Security Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023.
general_metric 2026  Jun
 Ravie Lakshmanan  Jun 18, 2026 Vulnerability / Enterprise Security Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023.
organisation LockBit
"The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis researcher Darrel Virtusio said .
organisation INC
"The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis researcher Darrel Virtusio said .
organisation DPAPI
Attacks deploying the ransomware are characterized by the use of an updated credential dumper capable of targeting newer Veeam backup deployments that use the salted DPAPI credential encryption.
infrastructure Windows
" INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts.
infrastructure Linux
" INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts.
organisation Windows and Linux
" INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts.
‎May 2024
Ransomware groups, including those affiliated with INC ransomware, utilize a diverse range of tools and techniques to target victims.
tactic Ransomware
What's more, the sale of INC's Windows and Linux variants on the cybercrime underground in May 2024 has led to the emergence of related ransomware families such as Lynx and Sinobi with "significant code overlap," even as the brand has continued to evolve.
infrastructure Windows
What's more, the sale of INC's Windows and Linux variants on the cybercrime underground in May 2024 has led to the emergence of related ransomware families such as Lynx and Sinobi with "significant code overlap," even as the brand has continued to evolve.
infrastructure Linux
What's more, the sale of INC's Windows and Linux variants on the cybercrime underground in May 2024 has led to the emergence of related ransomware families such as Lynx and Sinobi with "significant code overlap," even as the brand has continued to evolve.
organisation Sinobi
What's more, the sale of INC's Windows and Linux variants on the cybercrime underground in May 2024 has led to the emergence of related ransomware families such as Lynx and Sinobi with "significant code overlap," even as the brand has continued to evolve.
organisation CVE-2023-3519
" The overall attack chain adopted by the double extortion crew is as follows - Obtain initial access via a wide range of methods, including spear-phishing, account credentials purchased from IABs, and the exploitation of vulnerabilities in public-facing applications such as Citrix Netscaler ( CVE-2023-3519 and CVE-2025-5777 ), Fortinet EMS ( CVE-2023-48788 ), and SimpleHelp ( CVE-2024-57727 ).
organisation CVE-2023-48788
" The overall attack chain adopted by the double extortion crew is as follows - Obtain initial access via a wide range of methods, including spear-phishing, account credentials purchased from IABs, and the exploitation of vulnerabilities in public-facing applications such as Citrix Netscaler ( CVE-2023-3519 and CVE-2025-5777 ), Fortinet EMS ( CVE-2023-48788 ), and SimpleHelp ( CVE-2024-57727 ).
organisation CVE-2025
" The overall attack chain adopted by the double extortion crew is as follows - Obtain initial access via a wide range of methods, including spear-phishing, account credentials purchased from IABs, and the exploitation of vulnerabilities in public-facing applications such as Citrix Netscaler ( CVE-2023-3519 and CVE-2025-5777 ), Fortinet EMS ( CVE-2023-48788 ), and SimpleHelp ( CVE-2024-57727 ).
organisation Fortinet EMS
" The overall attack chain adopted by the double extortion crew is as follows - Obtain initial access via a wide range of methods, including spear-phishing, account credentials purchased from IABs, and the exploitation of vulnerabilities in public-facing applications such as Citrix Netscaler ( CVE-2023-3519 and CVE-2025-5777 ), Fortinet EMS ( CVE-2023-48788 ), and SimpleHelp ( CVE-2024-57727 ).
organisation SimpleHelp
" The overall attack chain adopted by the double extortion crew is as follows - Obtain initial access via a wide range of methods, including spear-phishing, account credentials purchased from IABs, and the exploitation of vulnerabilities in public-facing applications such as Citrix Netscaler ( CVE-2023-3519 and CVE-2025-5777 ), Fortinet EMS ( CVE-2023-48788 ), and SimpleHelp ( CVE-2024-57727 ).
organisation PsExec
Use living-off-the-land binaries (LOLBins), such as remote desktop protocol (RDP) and PsExec, for lateral movement.
organisation ScreenConnect
Drop Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer for command-and-control.
organisation TeamViewer
Drop Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer for command-and-control.
organisation RMM
"In their latest campaigns, they continue to target unpatched edge devices for initial access, dump credentials from Veeam backup servers, and use a mix of LOLBins and commercial RMM tools to move through victim networks.
organisation Rclone
Exfiltrate data of interest using Rclone after staging them as password-protected archives.
‎late 2025
Incident Topic: Ransomware threat emerges as major ransomware-as-a-service (RaaS) attack in late 2025.
‎Q1 2026
Threat actors used INC ransomware to target 338+ victims since Q1 2023.
tactic Ransomware
Data compiled by ZeroFox shows that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.
organisation ZeroFox
Data compiled by ZeroFox shows that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.
organisation INC ransomware
Data compiled by ZeroFox shows that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.
malware Qilin
Data compiled by ZeroFox shows that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.
"And although INC doesn't have that same technical profile on paper as let's say Qilin, its Q1 2026 numbers suggest it's attracting affiliate volume at a competitive rate regardless."
general_metric 338 Qilin
Data compiled by ZeroFox shows that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.
general_metric 197 Akira
Data compiled by ZeroFox shows that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.
general_metric 192 Gentlemen
Data compiled by ZeroFox shows that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.
general_metric 120 incidents
Data compiled by ZeroFox shows that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.
‎2026/06/17
Researchers with security vendor Acronis published a blog post covering RaaS gang INC, a group that emerged in 2023 and has claimed more than 800 victims to date.
organisation RaaS gang INC
Researchers with security vendor Acronis today published a blog post covering RaaS gang INC, a group that emerged in 2023 and has claimed more than 800 victims to date.
victims 800 victims
Researchers with security vendor Acronis today published a blog post covering RaaS gang INC, a group that emerged in 2023 and has claimed more than 800 victims to date.
‎Jun 18, 2026
Threat actors used a ransomware attack tool to target organizations in the Middle East and North Africa region.
‎2026/06/18
INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023.
victims 830 Victims
INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023.
financial 3 backup rule
Acronis recommends defenders use a 3-2-1 backup rule (keep three copies of data on two different media types and one copy stored offsite); ensure backups are offline or immutable and regularly tested; use endpoint and ransomware protection tools; implement identity and access controls; stay patched; and segment networks.
organisation Mastering the Basics
INC Ransomware Thrives by Mastering the Basics.
organisation LockBit
INC is a ransomware actor that greatly benefited from the shutdown of ALPHV/BlackCat and the disruption of LockBit ; this is an attribute shared with other ascendant gangs like The Gentlemen .
organisation INC
INC is a ransomware actor that greatly benefited from the shutdown of ALPHV/BlackCat and the disruption of LockBit ; this is an attribute shared with other ascendant gangs like The Gentlemen .
organisation Sinobi
Evidence for the malware's quality lies in its use by other threat actors, as INC source code was sold in 2024 to at least three parties; ransomware actors Lynx and Sinobi are thought to use strains of INC's malware.
infrastructure Windows
Related: Fileless Phantom Stealer Targets Browser Credentials INC's malware has two versions, Windows and Linux/ESXi, which have more recently been rewritten in Rust.
infrastructure Linux
Related: Fileless Phantom Stealer Targets Browser Credentials INC's malware has two versions, Windows and Linux/ESXi, which have more recently been rewritten in Rust.
organisation CVE-2023-3519
" INC Masters the Basics Their intrusion methods include spear-phishing, getting in with valid account credentials through initial access brokers, and exploiting tried-and-tested vulnerabilities such as Citrix Bleed 2 flaw CVE-2025-5777 , SimpleHelp RMM bug CVE-2024-57727 , Citrix Netscaler vulnerability CVE-2023-3519 , and Fortinet EMS bug CVE-2023-48788 .
organisation CVE-2023-48788
" INC Masters the Basics Their intrusion methods include spear-phishing, getting in with valid account credentials through initial access brokers, and exploiting tried-and-tested vulnerabilities such as Citrix Bleed 2 flaw CVE-2025-5777 , SimpleHelp RMM bug CVE-2024-57727 , Citrix Netscaler vulnerability CVE-2023-3519 , and Fortinet EMS bug CVE-2023-48788 .
organisation CVE-2025
" INC Masters the Basics Their intrusion methods include spear-phishing, getting in with valid account credentials through initial access brokers, and exploiting tried-and-tested vulnerabilities such as Citrix Bleed 2 flaw CVE-2025-5777 , SimpleHelp RMM bug CVE-2024-57727 , Citrix Netscaler vulnerability CVE-2023-3519 , and Fortinet EMS bug CVE-2023-48788 .
organisation Fortinet EMS
" INC Masters the Basics Their intrusion methods include spear-phishing, getting in with valid account credentials through initial access brokers, and exploiting tried-and-tested vulnerabilities such as Citrix Bleed 2 flaw CVE-2025-5777 , SimpleHelp RMM bug CVE-2024-57727 , Citrix Netscaler vulnerability CVE-2023-3519 , and Fortinet EMS bug CVE-2023-48788 .
organisation SimpleHelp
" INC Masters the Basics Their intrusion methods include spear-phishing, getting in with valid account credentials through initial access brokers, and exploiting tried-and-tested vulnerabilities such as Citrix Bleed 2 flaw CVE-2025-5777 , SimpleHelp RMM bug CVE-2024-57727 , Citrix Netscaler vulnerability CVE-2023-3519 , and Fortinet EMS bug CVE-2023-48788 .
organisation ZeroFox
In the first quarter of this year, INC broke into ZeroFox's global top five for the first time, with 124 incidents behind Qilin (338), Akira (197), and The Gentlemen (192), but ahead of Cl0p.
organisation Cl0p
In the first quarter of this year, INC broke into ZeroFox's global top five for the first time, with 124 incidents behind Qilin (338), Akira (197), and The Gentlemen (192), but ahead of Cl0p.
organisation NHS Dumfries & Galloway
"What makes INC particularly effective is its focus on sectors where disruption creates immediate pressure to restore operations," he says, adding that the group has repeatedly targeted high-profile victims such as Scottish healthcare organization NHS Dumfries & Galloway and Alder Hey Children's Hospital in Liverpool, England.
organisation Alder Hey Children's Hospital
"What makes INC particularly effective is its focus on sectors where disruption creates immediate pressure to restore operations," he says, adding that the group has repeatedly targeted high-profile victims such as Scottish healthcare organization NHS Dumfries & Galloway and Alder Hey Children's Hospital in Liverpool, England.
organisation Advanced IP
Discovery is conducted through pings, cmd.exe commands, and established tools such as Advanced IP scanner and netscan.
organisation the Acronis Threat Research Unit
And according to the Acronis Threat Research Unit (TRU), the group is one of the most active of its kind right now.
organisation EDR
It uses EDR killers for evasion, as well as red team and commercial remote access tools for command and control (C2).
organisation Pontiroli
Because INC has found success without relying on proprietary tools or novel techniques, Pontiroli says this flexibility lowers the barrier to entry for affiliates and makes the operation easy to scale.
organisation ClickFix Delivery INC's
Related: 'Lorem Ipsum' Malware Pivots to ClickFix Delivery INC's Place in the Threat Landscape, and What You Can Do Acronis's blog includes YARA rules and indicators of compromise.
organisation YARA
Related: 'Lorem Ipsum' Malware Pivots to ClickFix Delivery INC's Place in the Threat Landscape, and What You Can Do Acronis's blog includes YARA rules and indicators of compromise.
Tactical Metrics
Metrics
victims
830
Victims
INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023.
 Ravie Lakshmanan  Jun 18, 2026 Vulnerability / Enterprise Security Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023.
Metrics
infrastructure
‎Windows
Affected Product
What's more, the sale of INC's Windows and Linux variants on the cybercrime underground in May 2024 has led to the emergence of related ransomware families such as Lynx and Sinobi with "significant code overlap," even as the brand has continued to evolve.
" INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts.
Related: Fileless Phantom Stealer Targets Browser Credentials INC's malware has two versions, Windows and Linux/ESXi, which have more recently been rewritten in Rust.
Metrics
infrastructure
‎Linux
Affected Product
What's more, the sale of INC's Windows and Linux variants on the cybercrime underground in May 2024 has led to the emergence of related ransomware families such as Lynx and Sinobi with "significant code overlap," even as the brand has continued to evolve.
" INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts.
Related: Fileless Phantom Stealer Targets Browser Credentials INC's malware has two versions, Windows and Linux/ESXi, which have more recently been rewritten in Rust.
Metrics
financial
3
Backup Rule
Acronis recommends defenders use a 3-2-1 backup rule (keep three copies of data on two different media types and one copy stored offsite); ensure backups are offline or immutable and regularly tested; use endpoint and ransomware protection tools; implement identity and access controls; stay patched; and segment networks.
Metrics
victims
800
Victims
Researchers with security vendor Acronis today published a blog post covering RaaS gang INC, a group that emerged in 2023 and has claimed more than 800 victims to date.
Intelligence Sources
Dark Reading 2026-06-17
The Hacker News 2026-06-18