CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023

The Hacker News Archived Jun 18, 2026 ✓ Full text saved

Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023. "The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis

Full text archived locally
✦ AI Summary · Claude Sonnet


    INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023 Ravie LakshmananJun 18, 2026Vulnerability / Enterprise Security Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023. "The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis researcher Darrel Virtusio said. "United States organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology and health care among the most targeted sectors." INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts. Attacks deploying the ransomware are characterized by the use of an updated credential dumper capable of targeting newer Veeam backup deployments that use the salted DPAPI credential encryption. What's more, the sale of INC's Windows and Linux variants on the cybercrime underground in May 2024 has led to the emergence of related ransomware families such as Lynx and Sinobi with "significant code overlap," even as the brand has continued to evolve. "INC ransomware affiliates utilize a diverse range of tools and techniques in targeting victims," Acronis said. "In their latest campaigns, they continue to target unpatched edge devices for initial access, dump credentials from Veeam backup servers, and use a mix of LOLBins and commercial RMM tools to move through victim networks." The overall attack chain adopted by the double extortion crew is as follows - Obtain initial access via a wide range of methods, including spear-phishing, account credentials purchased from IABs, and the exploitation of vulnerabilities in public-facing applications such as Citrix Netscaler (CVE-2023-3519 and CVE-2025-5777), Fortinet EMS (CVE-2023-48788), and SimpleHelp (CVE-2024-57727). Extract sensitive credentials from the compromised environment. Use living-off-the-land binaries (LOLBins), such as remote desktop protocol (RDP) and PsExec, for lateral movement. Employ the bring your own vulnerable drive (BYOVD) technique using filwfp.sys, filnk.sys, fildds.sys to impair system defenses. Drop Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer for command-and-control. Exfiltrate data of interest using Rclone after staging them as password-protected archives. Run the encryptor and speed up the process using techniques like multithreading and partial encryption. The payload features a command-line interface that gives the operator more control during hands-on deployments. When it's executed with the "--esxi" argument, it attempts to shut down virtual machines. The findings show that ransomware groups can find success and scale up by following widely known techniques without having to lean on advanced tradecraft or bespoke tooling, effectively producing a steady stream of victims spanning various geographies and sectors. Data compiled by ZeroFox shows that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.  "INC continues to strengthen its ransomware operation through Rust-based payload rewrites and continuous toolkit enhancement, while carefully targeting industries such as health care, legal services, professional services, manufacturing, and construction where operational downtime creates strong financial pressure to pay," Acronis said. "This threat is further amplified because these sectors depend heavily on uninterrupted operations and supply chains, increasing the risk of collateral exposure across vendor networks and downstream partners when breaches occur." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Credential Theft, Cybercrime, enterprise security, programming, ransomware, ransomware-as-a-service, Rust, Virtualization Security, Vulnerability ⚡ Top Stories This Week Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Load More ▼ ⭐ Featured Resources AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown [Watch Demo] See Which Security Gaps Attackers Could Exploit First Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗