Dark ReadingArchived Jun 18, 2026✓ Full text saved
And one of those basics is focusing on sectors where a ransomware disruption creates immediate pressure to pay up, like with healthcare.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
VULNERABILITIES & THREATS
THREAT INTELLIGENCE
ENDPOINT SECURITY
NEWS
INC Ransomware Thrives by Mastering the Basics
And one of those basics is focusing on sectors where a ransomware disruption creates immediate pressure to pay up, like with healthcare.
Alexander Culafi,Senior News Writer,Dark Reading
June 17, 2026
4 Min Read
SOURCE: JUST_SUPER VIA GETTY IMAGES
INC is a ransomware group that has excelled in the ransomware-as-a-service (RaaS) space through doing the basics effectively — alongside a bit of good timing.
Researchers with security vendor Acronis today published a blog post covering RaaS gang INC, a group that emerged in 2023 and has claimed more than 800 victims to date. INC is a ransomware actor that greatly benefited from the shutdown of ALPHV/BlackCat and the disruption of LockBit; this is an attribute shared with other ascendant gangs like The Gentlemen.
And according to the Acronis Threat Research Unit (TRU), the group is one of the most active of its kind right now. On the surface, INC doesn't stand out so much. It's a double extortion ransomware actor (meaning it uses encryption and data leaking to get victims to pay up), drawing victims from manufacturing, legal services, healthcare, technology, construction, and educational sectors, among others. The group appears to have a certain preference for organizations with especially sensitive data to add extra extortion pressure.
Related:Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices
Santiago Pontiroli, threat intelligence research lead at Acronis, tells Dark Reading that INC's growth can be chalked up to three factors: unusually aggressive victim selection, rapid affiliate scaling, and "a focus on proven intrusion methods that maximize volume rather than technical innovation."
"What makes INC particularly effective is its focus on sectors where disruption creates immediate pressure to restore operations," he says, adding that the group has repeatedly targeted high-profile victims such as Scottish healthcare organization NHS Dumfries & Galloway and Alder Hey Children's Hospital in Liverpool, England. "These types of organizations often hold sensitive data and face significant operational consequences when systems are disrupted, creating strong leverage for extortion."
INC Masters the Basics
Their intrusion methods include spear-phishing, getting in with valid account credentials through initial access brokers, and exploiting tried-and-tested vulnerabilities such as Citrix Bleed 2 flaw CVE-2025-5777, SimpleHelp RMM bug CVE-2024-57727, Citrix Netscaler vulnerability CVE-2023-3519, and Fortinet EMS bug CVE-2023-48788.
Once they're in, INC uses a fairly vanilla playbook. Discovery is conducted through pings, cmd.exe commands, and established tools such as Advanced IP scanner and netscan. INC steals credentials through a base64 encoded script and uses living-off-the-land binaries for lateral movement. It uses EDR killers for evasion, as well as red team and commercial remote access tools for command and control (C2). And INC exfiltrates stolen data by packaging it into archives and uploading to attacker-controlled cloud storage.
Related:Fileless Phantom Stealer Targets Browser Credentials
INC's malware has two versions, Windows and Linux/ESXi, which have more recently been rewritten in Rust. Rust is harder to reverse-engineer and it has been historically easier for developers to maintain cross-platform code than other programming languages an attacker might use. None of its capabilities — process killing, encryption, credential theft — are particularly novel, but they're functional. Evidence for the malware's quality lies in its use by other threat actors, as INC source code was sold in 2024 to at least three parties; ransomware actors Lynx and Sinobi are thought to use strains of INC's malware.
Because INC has found success without relying on proprietary tools or novel techniques, Pontiroli says this flexibility lowers the barrier to entry for affiliates and makes the operation easy to scale. The group further benefitted from emerging as many other ransomware groups shuttered and focusing on sectors and (primarily US-based) organizations where there is far more pressure to pay up.
"If there's one factor that best explains the group's success, it's scalability," Pontiroli says. "INC has shown that a ransomware operation doesn't need novel malware to be effective. Consistently turning common intrusion techniques into a steady stream of victims across high-pressure sectors can be just as powerful."
Related:'Lorem Ipsum' Malware Pivots to ClickFix Delivery
INC's Place in the Threat Landscape, and What You Can Do
Acronis's blog includes YARA rules and indicators of compromise. Acronis recommends defenders use a 3-2-1 backup rule (keep three copies of data on two different media types and one copy stored offsite); ensure backups are offline or immutable and regularly tested; use endpoint and ransomware protection tools; implement identity and access controls; stay patched; and segment networks.
"Because these affiliates continue to rely on opportunistic tactics such as stolen credentials, phishing, credential reuse and exploitation of unpatched remote services, organizations should prioritize reducing external exposure and securing perimeter access points to limit the risk of intrusion," the blog post read.
Adam Darrah, VP of intelligence at ZeroFox, tells Dark Reading that INC operates alongside other groups that dominate the current threat landscape, such as Akira, Qilin, RansomHub, Play, and Cl0p. In the first quarter of this year, INC broke into ZeroFox's global top five for the first time, with 124 incidents behind Qilin (338), Akira (197), and The Gentlemen (192), but ahead of Cl0p.
"INC's trajectory, however, has been uneven — the contraction in late 2025 followed by a Q1 2026 surge probably reflects affiliate churn and re-consolidation rather than sustained organic growth," he says. "And although INC doesn't have that same technical profile on paper as let's say Qilin, its Q1 2026 numbers suggest it's attracting affiliate volume at a competitive rate regardless."
About the Author
Alexander Culafi
Senior News Writer, Dark Reading
Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.
At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.
He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT