CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

INC Ransomware Thrives by Mastering the Basics

Dark Reading Archived Jun 18, 2026 ✓ Full text saved

And one of those basics is focusing on sectors where a ransomware disruption creates immediate pressure to pay up, like with healthcare.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS THREAT INTELLIGENCE ENDPOINT SECURITY NEWS INC Ransomware Thrives by Mastering the Basics And one of those basics is focusing on sectors where a ransomware disruption creates immediate pressure to pay up, like with healthcare. Alexander Culafi,Senior News Writer,Dark Reading June 17, 2026 4 Min Read SOURCE: JUST_SUPER VIA GETTY IMAGES INC is a ransomware group that has excelled in the ransomware-as-a-service (RaaS) space through doing the basics effectively — alongside a bit of good timing. Researchers with security vendor Acronis today published a blog post covering RaaS gang INC, a group that emerged in 2023 and has claimed more than 800 victims to date. INC is a ransomware actor that greatly benefited from the shutdown of ALPHV/BlackCat and the disruption of LockBit; this is an attribute shared with other ascendant gangs like The Gentlemen.  And according to the Acronis Threat Research Unit (TRU), the group is one of the most active of its kind right now. On the surface, INC doesn't stand out so much. It's a double extortion ransomware actor (meaning it uses encryption and data leaking to get victims to pay up), drawing victims from manufacturing, legal services, healthcare, technology, construction, and educational sectors, among others. The group appears to have a certain preference for organizations with especially sensitive data to add extra extortion pressure.  Related:Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices Santiago Pontiroli, threat intelligence research lead at Acronis, tells Dark Reading that INC's growth can be chalked up to three factors: unusually aggressive victim selection, rapid affiliate scaling, and "a focus on proven intrusion methods that maximize volume rather than technical innovation." "What makes INC particularly effective is its focus on sectors where disruption creates immediate pressure to restore operations," he says, adding that the group has repeatedly targeted high-profile victims such as Scottish healthcare organization NHS Dumfries & Galloway and Alder Hey Children's Hospital in Liverpool, England. "These types of organizations often hold sensitive data and face significant operational consequences when systems are disrupted, creating strong leverage for extortion." INC Masters the Basics Their intrusion methods include spear-phishing, getting in with valid account credentials through initial access brokers, and exploiting tried-and-tested vulnerabilities such as Citrix Bleed 2 flaw CVE-2025-5777, SimpleHelp RMM bug CVE-2024-57727, Citrix Netscaler vulnerability CVE-2023-3519, and Fortinet EMS bug CVE-2023-48788. Once they're in, INC uses a fairly vanilla playbook. Discovery is conducted through pings, cmd.exe commands, and established tools such as Advanced IP scanner and netscan. INC steals credentials through a base64 encoded script and uses living-off-the-land binaries for lateral movement. It uses EDR killers for evasion, as well as red team and commercial remote access tools for command and control (C2). And INC exfiltrates stolen data by packaging it into archives and uploading to attacker-controlled cloud storage.  Related:Fileless Phantom Stealer Targets Browser Credentials INC's malware has two versions, Windows and Linux/ESXi, which have more recently been rewritten in Rust. Rust is harder to reverse-engineer and it has been historically easier for developers to maintain cross-platform code than other programming languages an attacker might use. None of its capabilities — process killing, encryption, credential theft — are particularly novel, but they're functional. Evidence for the malware's quality lies in its use by other threat actors, as INC source code was sold in 2024 to at least three parties; ransomware actors Lynx and Sinobi are thought to use strains of INC's malware. Because INC has found success without relying on proprietary tools or novel techniques, Pontiroli says this flexibility lowers the barrier to entry for affiliates and makes the operation easy to scale. The group further benefitted from emerging as many other ransomware groups shuttered and focusing on sectors and (primarily US-based) organizations where there is far more pressure to pay up. "If there's one factor that best explains the group's success, it's scalability," Pontiroli says. "INC has shown that a ransomware operation doesn't need novel malware to be effective. Consistently turning common intrusion techniques into a steady stream of victims across high-pressure sectors can be just as powerful." Related:'Lorem Ipsum' Malware Pivots to ClickFix Delivery INC's Place in the Threat Landscape, and What You Can Do Acronis's blog includes YARA rules and indicators of compromise. Acronis recommends defenders use a 3-2-1 backup rule (keep three copies of data on two different media types and one copy stored offsite); ensure backups are offline or immutable and regularly tested; use endpoint and ransomware protection tools; implement identity and access controls; stay patched; and segment networks. "Because these affiliates continue to rely on opportunistic tactics such as stolen credentials, phishing, credential reuse and exploitation of unpatched remote services, organizations should prioritize reducing external exposure and securing perimeter access points to limit the risk of intrusion," the blog post read. Adam Darrah, VP of intelligence at ZeroFox, tells Dark Reading that INC operates alongside other groups that dominate the current threat landscape, such as Akira, Qilin, RansomHub, Play, and Cl0p. In the first quarter of this year, INC broke into ZeroFox's global top five for the first time, with 124 incidents behind Qilin (338), Akira (197), and The Gentlemen (192), but ahead of Cl0p. "INC's trajectory, however, has been uneven — the contraction in late 2025 followed by a Q1 2026 surge probably reflects affiliate churn and re-consolidation rather than sustained organic growth," he says. "And although INC doesn't have that same technical profile on paper as let's say Qilin, its Q1 2026 numbers suggest it's attracting affiliate volume at a competitive rate regardless." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.  At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels. He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗