Here's something that keeps me up at night, and I've been on the defender side of this fight long enough to know most of the tricks: INC ransomware isn't winning because they're clever. They're winning because they're boring. And in cybersecurity, boring is the most dangerous word in the vocabulary.
While the rest of us chase zero-days, AI-powered phishing, and supply-chain compromises that make for great conference keynotes, INC has been doing the unglamorous work of getting the fundamentals right. Their encryption tools aren't novel. Their initial access vectors aren't cutting-edge. But they deploy them with a level of operational discipline that most threat actor groups — and honestly, too many of our own security teams — simply don't match.
According to Acronis Threat Intelligence, INC has emerged as one of the most financially successful ransomware operations in 2026. Not because they're innovating. Because they execute.
That distinction matters more than most practitioners want to admit.
Ransomware-as-a-Service: The Business Model Behind the Encryption
To understand INC, you have to understand the ecosystem they operate in. Ransomware-as-a-Service — or RaaS — has fundamentally restructured the threat landscape. You no longer need a team of elite reverse engineers or a multi-million dollar infrastructure budget to run a ransomware operation. You need access, motivation, and the willingness to follow a playbook.
INC sits at the high end of that model. They're not your typical affiliate scraping leaked credentials off a forum. They've built something closer to a private equity firm than a criminal gang — structured, patient, and ruthlessly focused on return on investment.
The RaaS model works like this: the parent group develops or licenses the encryption malware, maintains the command-and-control infrastructure, and provides affiliates with access to targeting tools. The affiliates do the actual intrusion work — phishing, vulnerability exploitation, lateral movement — and split the ransom with the parent group. It's efficient. It scales. And it's made ransomware attacks more frequent, more targeted, and significantly harder to defend against with traditional perimeter-based strategies. Many of these affiliates rely on sophisticated MFA bypass and device code phishing techniques to gain the initial footholds that make the rest of the attack possible.
INC's twist on this model is operational quality control. They vet their targets carefully, focusing on organizations with deep pockets and high regulatory exposure — healthcare providers, legal firms, municipal governments. They avoid low-value victims. They don't spray and pray. And that selectivity, combined with their infrastructure resilience, is what separates them from the noise.
The Three Pillars: Precision, Resilience, Pressure
INC's operational model rests on three pillars, and each one deserves its own examination because they reinforce each other in ways that make the overall system far more effective than any single component.
Precision targeting. INC doesn't waste time on organizations that can absorb a ransomware attack without breaking. They look for institutions where downtime equals existential risk — hospitals running on legacy systems, law firms holding privileged client data, cities whose public services depend on digital infrastructure that hasn't been patched since 2019. These organizations can't afford a week-long blackout, and INC knows it. They're not just selling encryption; they're selling panic.
Infrastructure resilience. Their command-and-control architecture is decentralized and frequently rotated. Takedown attempts? Ineffective. Law enforcement pressure? Managed through jurisdictional complexity and operational security that would make a corporate CISO blush. They update their infrastructure consistently, which means even when researchers publish indicators of compromise, INC is already three steps ahead with new domains, new certificates, and new routing.
Psychological pressure. This is where INC really distinguishes themselves. They don't just encrypt your data and wait for you to pay. They leak it in stages. They publish sensitive documents publicly. They name victims on their sites. They amplify reputational damage alongside technical disruption. The goal isn't just to make you want to pay — it's to make you need to pay, quickly, before the next leak drops and your board starts asking questions you can't answer.
The combination is devastating. By the time an organization's incident response team has completed their initial triage, INC has already moved from technical disruption to reputational crisis. Legal counsel gets bypassed. Insurance protocols get ignored. Panic drives decisions that wouldn't happen under normal circumstances.
Why the Basics Beat the Buzzwords
There's a persistent narrative in our industry that the most dangerous threats are the ones we haven't seen before. Novel exploits. Unknown malware families. Attack techniques that bypass every detection rule in the playbook.
INC disproves that narrative with consistent, boring execution.
Their encryption tools are thoroughly tested. They don't deploy unproven code in production environments because they understand that a failed encryption run destroys their credibility and wastes resources. Their lateral movement techniques are clean — they minimize noise, avoid triggering EDR alerts where possible, and move through networks the way a skilled operator would: deliberately, patiently, without rushing.
Compare that to groups that chase the latest exploit kit or build custom malware with flashy capabilities. Those groups often fail at deployment because their tools aren't reliable enough, or they attract attention through aggressive behavior that gives defenders time to respond. INC doesn't have that problem. They're not trying to be the most sophisticated group in the room. They're trying to be the most effective.
This is a lesson that applies beyond threat hunting. Most security programs fail not because they lack advanced tools, but because they neglect the fundamentals: patch management, access control, backup integrity, incident response drills. INC exploits the same gaps we all know about — they just do it better than most of us defend against them.
The Law Firm Problem: Why Privilege Becomes a Liability
Law firms remain one of INC's favorite targets, and for good reason. Attorney-client privilege isn't just a legal concept — it's an operational vulnerability that ransomware groups understand intuitively.
When a law firm gets hit, the pressure to restore operations isn't measured in dollars per minute of downtime. It's measured in ethical obligations, regulatory deadlines, and the potential loss of privileged communications that could expose clients to legal liability. A week-long blackout isn't an inconvenience; it's a malpractice risk.
INC leverages this reality with surgical precision. They know that law firms will pay quickly — not because they're irrational, but because the cost of not paying can be catastrophic. The triage mentality that emerges in these situations leads to suboptimal decisions: paying ransoms without engaging proper legal counsel, bypassing insurance protocols under time pressure, and making recovery choices that leave the organization more vulnerable to follow-on attacks.
This isn't theoretical. The Acronis Threat Intelligence reporting on INC's operations consistently highlights legal services as a high-yield target category. And as long as privileged data remains concentrated in institutions that can't afford disruption, law firms will keep appearing on INC's hit list.
The uncomfortable reality is that many legal organizations haven't updated their security postures to match the threat landscape. They're protecting sensitive data with infrastructure designed for a different era, and INC knows it. The same pattern of institutional targeting that made ShinyHunters' PeopleSoft campaign devastating for universities — exploiting underfunded defenses at organizations holding valuable data — applies directly to how INC selects and pressures its victims.
What Defenders Can Actually Do
I've spent enough time in incident response to know that most security teams are overwhelmed. They're managing alert fatigue, dealing with tool sprawl, and trying to keep up with a threat landscape that evolves faster than their budgets allow. So when I talk about defending against groups like INC, I'm not going to suggest something impractical.
Here's what actually works:
Backup integrity. This sounds almost too simple, but it's the single most effective defense against ransomware. If your backups are offline, immutable, and tested regularly, you remove the primary leverage that ransomware groups have. INC's psychological pressure tactics lose much of their power when you can demonstrate to your board and your customers that restoration is a matter of hours, not weeks.
Access control. Limiting lateral movement isn't just a best practice — it's a survival mechanism. If an attacker can move freely through your network, they can encrypt everything and exfiltrate data before you even know they're there. Segment your networks. Enforce least-privilege access. Monitor for anomalous credential use.
Incident response readiness. Most organizations treat their IR plan like a document that sits on a shelf. INC exploits the gap between having a plan and being ready to execute it. Run drills. Test communication channels. Make sure your team knows who makes the call when things go wrong — because in the panic of an active ransomware event, decision-making degrades rapidly without clear protocols. For a deeper look at how modern incident response is evolving beyond manual triage, see our analysis on why cybersecurity IR is pivoting to behavioral AI protections.
Threat intelligence that matters. You don't need every indicator of compromise in the world. You need to know which groups are targeting your industry, what techniques they're using, and how to detect them. INC's operational patterns are well-documented by researchers at Acronis and others — use that information to harden your defenses against the threats you're actually likely to face.
The bottom line: INC thrives because most organizations are still defending against yesterday's threats with yesterday's tools. They don't need to be clever. They just need you to be complacent.
The Benchmark Effect: When Criminal Success Becomes a Template
There's a darker implication to INC's success that doesn't get enough attention. When a ransomware group achieves the kind of financial and operational success that INC has demonstrated, it creates a benchmark for other threat actors. You see it in the cybersecurity industry all the time — what works becomes a template, and the barrier to entry drops even further.
INC's consistent execution has earned them a reputation among other threat actors as a model for success. Not because they use the latest AI tools or the most sophisticated exploits, but because they do the fundamentals better than anyone else. That reputation attracts talent, encourages investment in infrastructure, and creates a feedback loop where their operational discipline becomes even more refined over time.
For defenders, this means the threat landscape isn't static. Groups that were once niche operators can become dominant players simply by getting better at the basics. The ransomware ecosystem is a marketplace, and INC has figured out how to win in it — not through innovation, but through execution excellence.
This is why the conversation about ransomware can't be limited to individual incidents. It's a systemic problem that requires systemic solutions: better backup practices, stronger access controls, more realistic incident response planning, and a willingness to admit that our defenses haven't kept pace with the professionalization of cybercrime.
INC's rise underscores a sobering truth: in cybersecurity, sometimes doing the basics better than anyone else is the most dangerous innovation of all.