How INC Ransomware Quietly Built an Empire of 830 Victims

INC ransomware has claimed over 830 victims since 2023, rising to become the fourth most active group in Q1 2026. The RaaS operation exploits common vulnerabilities, targets high-pressure sectors, and uses Rust-based encryptors without relying on zero-days. Its success stems from affiliate migration and consistent execution of known techniques.
How INC Ransomware Quietly Built an Empire of 830 Victims
Written by Juan Vasquez

INC ransomware has surged from obscurity to one of the most active extortion operations in the ransomware underworld. Since August 2023 the group has listed more than 830 victims on its leak site. The pace shows no sign of slowing.

Researchers first noticed the outfit in mid-2023. By the first quarter of 2026 it ranked fourth among ransomware actors according to data from ZeroFox. Qilin led with 338 incidents followed by Akira at 197 and The Gentlemen with 192. INC accounted for more than 120 attacks in those three months alone. ZeroFox Q1 2026 Ransomware Wrap-Up.

The numbers come as no surprise to those watching affiliate migration patterns. The disruption of LockBit and the shutdown of BlackCat left operators seeking new platforms. INC welcomed them. “The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations” said Darrel Virtusio an Acronis researcher. Acronis report on INC ransomware evolution.

More than 65 percent of the victims sit inside the United States. Legal services manufacturing construction technology and health care dominate the target list. These sectors share one trait. Downtime hurts. Executives face immediate pressure to restore systems and protect client data. That pressure often translates into payment.

INC does not rely on novel zero-days or exotic code. It succeeds by executing known techniques at scale. Affiliates buy credentials from initial access brokers. They exploit vulnerabilities in public-facing applications. Citrix NetScaler flaws CVE-2023-3519 and CVE-2025-5777 appear frequently. So do issues in Fortinet EMS tracked as CVE-2023-48788 and SimpleHelp CVE-2024-57727.

Once inside the network the attackers move with purpose. They dump credentials especially from Veeam backup servers using an updated tool that handles salted DPAPI encryption. Lateral movement follows through living-off-the-land binaries such as RDP and PsExec. Commercial remote monitoring tools supplement the toolkit. AnyDesk ScreenConnect and TeamViewer provide command and control alongside Cobalt Strike beacons.

Defense evasion receives attention too. The group deploys bring-your-own-vulnerable-driver attacks. Drivers named filwfp.sys filnk.sys and fildds.sys disable security products. Data exfiltration relies on Rclone after files are compressed into password-protected archives. Encryption comes last. The payload written in Rust supports both Windows and Linux or ESXi environments. Multithreading and partial encryption accelerate the process. A command-line interface gives operators fine control. The –esxi flag even attempts to shut down virtual machines before encryption.

Rust brings advantages. Cross-platform development becomes simpler. Reverse engineering grows harder. The same codebase spawned related families. When INC variants appeared for sale on underground forums in May 2024 researchers soon spotted Lynx and Sinobi. Code overlap stood out. Picus Security analysis of Lynx ransomware.

Recent tracking confirms the momentum. Dragos recorded 52 INC incidents in the first quarter of 2026 focused on manufacturing industrial control systems engineering and government targets. Dragos Industrial Ransomware Analysis Q1 2026. Halcyon noted a burst of activity against law firms with ten claims appearing in a 48-hour window earlier this year. The firm counted 20 legal sector victims claimed by INC in 2026. Halcyon ransomware alert on INC law firm campaign.

Activity trackers paint a similar picture. Ransomware.live shows 811 posts on the INC leak site with 28 added in the past 30 days and seven in the last week. Uptime averages 29 percent over 30 days yet the volume remains steady. The group posts new victims as recently as mid-June 2026.

But success does not come from sophistication alone. Acronis analysts highlight the strategic focus. “INC continues to strengthen its ransomware operation through Rust-based payload rewrites and continuous toolkit enhancement while carefully targeting industries such as health care legal services professional services manufacturing and construction where operational downtime creates strong financial pressure to pay.” The threat grows because these sectors rely on uninterrupted operations and supply chains. A breach at one vendor can ripple downstream.

Dark Reading reached a similar conclusion one day after the Acronis report. The group masters the basics. It combines double extortion with reliable tooling and chooses victims whose pain threshold sits low. No need for bespoke malware when commodity methods deliver consistent results. Dark Reading on INC mastering the basics.

Defenders face a familiar challenge. Patch edge devices. Harden backup infrastructure. Monitor for unusual remote desktop activity. Segment networks to slow lateral movement. Yet many organizations still leave Citrix Fortinet or RDP services exposed. Credentials harvested from prior breaches continue to circulate on forums.

Coalition’s 2026 Cyber Claims Report offers a wider view. Average initial ransom demands jumped 47 percent to more than one million dollars. Eighty-six percent of victim organizations refused to pay. Seventy percent of incidents involved both encryption and data theft which often doubled recovery costs. Coalition 2026 Cyber Claims Report.

INC fits neatly into this pattern. Its affiliates operate with autonomy under the RaaS model. Some specialize in initial access. Others handle deployment and negotiation. The core team maintains the leak site updates the encryptor and collects its cut. This division of labor scales fast.

Recent incidents underscore the reach. A medical group in the Horizon Family Medical network appeared on the leak site this month according to BitSight tracking. Healthcare remains a priority. So does manufacturing where equipment downtime can halt production lines for days.

The group’s adaptability shows in its code. Rewriting in Rust was not flashy. It solved practical problems. Easier maintenance across operating systems. Greater resistance to analysis. Affiliates appreciate tools that just work.

Yet the operation carries risks for victims beyond immediate extortion. Stolen data can fuel identity theft insurance fraud or competitor intelligence. Supply chain partners may face regulatory questions if client records leak. Insurance carriers already push for stricter controls before issuing new policies.

INC shows what happens when timing meets competence. Two larger operations stumbled. Affiliates needed homes. A competent RaaS platform stood ready. The result? Hundreds of breaches. Billions in potential losses. And a model that other groups may copy.

Security teams cannot dismiss the threat as yesterday’s news. The numbers keep climbing. The tactics stay effective. And the pressure on targeted sectors only intensifies. Organizations in legal manufacturing and healthcare would do well to review their exposure today. Tomorrow may bring an unexpected visitor bearing an INC ransom note.

Subscribe for Updates

CybersecurityUpdate Newsletter

The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies. Perfect for IT security professionals and business leaders focused on protecting their organizations.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us