INC Ransomware Group Holds Healthcare Hostage in Oceania - Dark Reading

TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE CYBER RISK CYBERATTACKS & DATA BREACHES ICS/OT SECURITY NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific INC Ransomware Group Holds Healthcare Hostage in Oceania Government agencies, emergency clinics, and others in Australia, New Zealand, and Tonga have had serious run-ins with the prolific ransomware outfit. Nate Nelson,Contributing Writer March 11, 2026 4 Min Read SOURCE: JJ GOUIN VIA ALAMY STOCK PHOTO Cybersecurity authorities in Oceania are warning that the INC ransomware operation has been ripping through healthcare organizations in the region. Healthcare — particularly 24/7 patient care facilities — has always been foremost among targets for ransomware actors, ever since they collectively decided that morality wasn't really their forte. INC embodies this trend, targeting the industry at a higher clip than almost any other ransomware group. In the last couple of years, it has spread those operations globally. On March 6, the Australian Cyber Security Centre (ACSC), the Kingdom of Tonga's National Computer Emergency Response Team (CERT Tonga), and New Zealand's National Cyber Security Centre (NCSC) released a joint advisory about it. It ostensibly covered INC's "targeting of critical networks" in the region, but in practice focused almost entirely on its threat to this one sector. INC Incorporates Oceania Into its Targeting Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers Sometimes, organized cybercrime outfits execute full frontal offensives in specific industry verticals or geographic regions, indicating forethought and a clear plan of attack. Last week's advisory paints a picture of a cybercrime outfit that initially had other plans, but gradually realized the opportunity in Oceania's healthcare sector over time. INC's initial focus was in the US and the UK, the authorities noted. Only a year or so into its run, in the summer of 2024, it began targeting Australian companies in the professional services and healthcare industries. That activity seems to have picked up steam in 2025, and expanded into neighboring New Zealand and Tonga. Tonga, in particular, suffered a significant attack at INC's hands, which caused disruptions to national health services. INC Incidents in Australia, New Zealand, and Tonga The ACSC responded to 11 INC ransomware attacks in Australia between July 2024 and December 2025, predominantly affecting either healthcare or professional services companies. Typically in these cases, the attackers got access to victims by purchasing compromised accounts from initial access brokers (IABs). With that said, INC has also been known to spear-phish some of its victims, and exploit known vulnerabilities in Internet-facing devices deployed by others. And because INC uses a ransomware-as-a-service (RaaS) business model, its tactics, techniques, and procedures (TTPs) can vary depending on which affiliate is carrying out any given attack. With an initial foothold, the attackers have moved laterally within Aussie networks, escalating their privileges to the administrator level before deploying their locker and a ransom note. In some cases, they've also exfiltrated personally identifying information (PII) and protected health information (PHI). INC uses legitimate software programs to both compress data and help exfiltrate data from compromised networks. Related:Iran Hacktivists Make Noise but Have Little Impact on War Compared to Australia, the advisory references more diffuse threats to New Zealand, with a variety of opportunistic actors impacting a variety of industries. INC joined the fray in May 2025, when it stole a large amount of data and encrypted a number of servers and endpoint devices at a healthcare organization, and later published the stolen data on its Dark Web leak site. In Tonga, INC skipped over individual facilities and went right for the nation's Ministry of Health (MoH). On June 15, 2025, it disrupted MoH information and communications networks, effectively shutting down core national services. "Attackers don’t scale by local size but by opportunity," Keeper Security CISO Shane Barney points out. "Smaller nations often rely on centralized, resource-constrained infrastructure, which can make them proportionally more vulnerable. They may not see the volume of attacks larger economies face, but even a single successful intrusion can have outsized impact, and incident response capacity may be more limited." Related:EU Sanctions Companies in China, Iran for Cyberattacks Authorities have now identified a specific, named hacker behind the Tonga attack — Roman Khubov, known online as "blackod" — and published a picture of his face. Little is publicly known about Khubov beyond what's briefly stated in the advisory. Standard Mitigations Can Defeat Old TTPs Oceania cyber authorities recommended that organizations interested in defending against the INC ransomware group take appropriately basic cybersecurity precautions, like monitoring and restricting network traffic and remote access, implementing multifactor authentication (MFA) where applicable, and diligently managing software vulnerabilities. "INC is not employing new or cutting-edge tactics to compromise this industry, instead they are using what I refer to as legacy tactics to compromise organizations," says Christopher Hills, chief security strategist at BeyondTrust. "These threat actors are walking right into the environments with valid credentials. This just reinforces several points we have been talking about for years: verify everything, to every resource, control your threat landscape, patch vulnerable systems, stop exposing vulnerable system on the public Web." He thinks that "Groups like INC are exposing that fact that organizations, such as healthcare still haven't plugged common security gaps that most aren't thinking about because they are too hung up on the shiny new object known as artificial intelligence (AI)." Read more about: DR Global Asia Pacific About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026 The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use Your Privacy Choices