ProBackend
cloud security incidents
1 hour ago5 min read

INC Ransomware: How Operational Discipline Beat Flashy Exploits

INC ransomware emerges as a top-tier RaaS operation by mastering fundamentals—targeting pressured sectors, leveraging timing from competitor shutdowns, and rewriting its malware in Rust—claiming 800+ victims since 2023.

INC doesn’t break new ground—it just does the boring stuff consistently, better than most. That’s the thread connecting an NHS hospital in Scotland, a children’s hospital in Liverpool, and over 800 other victims across six continents. The ransomware-as-a-service group didn’t need zero-day exploits or AI-driven evasion; it needed timing, discipline, and an eye for pressure points where downtime equals desperation. The result? One of the most active RaaS gangs in 2026, ranking in the global top five during Q1 after years of flying under the radar.

In a world obsessed with flash—novel malware, custom tooling, overnight virality—INC proved that a tight playbook executed across dozens of sectors can outlast even the most hyped campaigns. Its rise wasn’t dramatic; it was operational. Here’s what that actually looks like on the ground, and why defenders who treat RaaS as a “commodity” threat do so at their own peril.

The Timing Wasn’t Luck—It Was Strategy

INC emerged in 2023, right as the ransomware ecosystem was rattling under its own weight. LockBit was crumbling, ALPHV/BlackCat was offline, and many smaller crews were scrambling to pivot. The vacuum wasn’t accidental—it was a gap waiting for whoever could show up, act fast, and scale without overpromising.

INC’s playbook didn’t need reinvention. It borrowed from the best, reused what worked, and made sure its infrastructure stayed online long enough for affiliates to strike. According to Acronis Threat Research Unit, this timing gave INC an immediate foothold in markets where competitors had already proven the ROI of attacking hospitals, legal firms, and manufacturers—sectors where operational disruption creates immediate payment pressure.

That’s not to say they were the first. It’s that they were among the few who stayed alive long enough for those early movers to fade out.

Targeting Pressure, Not Just Profit

INC doesn’t chase headlines. It chases constraints.

Think about the NHS Dumfries & Galloway incident in Scotland or Alder Hey Children’s Hospital in Liverpool. Both chose sectors where downtime isn’t just inconvenient—it’s life-or-death. Healthcare, legal services, manufacturing, education: all places where business continuity is measured in hours that could trigger regulatory fines or reputational collapse.

This strategy has payoffs beyond the ransom itself. A stressed IT team is more likely to skip background scanning or delay patching, giving INC more runway during post-entry movement. By targeting organizations with sensitive data and tight recovery windows, the group increases its leverage without needing novel encryption tricks.

That’s a critical nuance for defenders. INC isn’t outsmarting you; it’s just counting on your backups being offline or your segmentation being leaky—which is often true, even in 2026.

The Vanilla Playbook That Works

INC’s intrusion technique is what you’d expect from a mature RaaS: proven, repeatable, and fast.

Its starter pack includes:

  • Spear-phishing lures tailored to specific industries or roles
  • Initial access brokers supplying valid credentials—no brute force needed
  • Known vulnerabilities with public exploits still unpatched:
    • Citrix Bleed (CVE-2025-5777)
    • SimpleHelp RMM (CVE-2024-57727)
    • Citrix Netscaler (CVE-2023-3519)
    • Fortinet EMS (CVE-2023-48788)

Once inside, INC follows a vanilla but effective sequence:

  • Discovery using pings, cmd.exe, and tools like Advanced IP Scanner
  • Credential theft via base64-encoded scripts that avoid detection
  • Living-off-the-land binaries for lateral movement (no custom tools required)
  • EDR killers deployed before encryption begins
  • Red team or commercial RATs for command and control
  • Data exfiltration: archives uploaded to attacker-controlled cloud storage before encryption rolls out

It’s not elegant. It’s not flashy. But it works because many networks already have the holes waiting.

Malware That Scales—No Novelty Required

INC’s ransomware features both Windows and Linux/ESXi payloads, but the real shift came in 2024: a full rewrite in Rust.

Rust isn’t flashy per se, but it solves real operational problems. Cross-platform maintenance becomes simpler—no more maintaining two codebases in different languages. Reverse engineering is harder, slowing down incident responders and security researchers trying to build signatures.

Source code sales weren’t just a profit center—they were strategic. By 2024, INC’s malware had been licensed to at least three parties. Actors like Lynx and Sinobi are believed to operate variants of INC’s tooling, meaning the same initial access vector you see in one incident could reappear weeks later in another campaign.

That’s why treating INC as an isolated threat is dangerous. Its framework has become a rental platform for threat actors who don’t need to build their own infrastructure, only their own branding.

Numbers That Matter: Q1 2026’s Surprise Top-Five Entry

ZeroFox placed INC in its global top five for the first time in Q1 2026, with 124 incidents tracked. Not bad for a group that didn’t make the leaderboard in prior years.

The rankings tell a nuanced story, though:

  • Qilin led with 338 incidents
  • Akira ranked second with 197
  • The Gentlemen came third at 192
  • INC landed fourth at 124
  • Cl0p trailed behind at lower volume

INC’s trajectory isn’t linear. It contracted in late 2025 before surging in Q1 2026. That pattern points to affiliate churn and re-consolidation—not sustained organic growth, but rather a rapid ramp-up once the infrastructure was stable.

Importantly, INC doesn’t need the technical sophistication of Qilin to attract affiliates. It competes on service: rapid payout negotiation, consistent availability, and a distribution channel that works across sectors and geographies.

Defenders Have The Levers—Why They’re Not Always Used

There’s no mystery in defending against INC. The recommendations from Acronis and others are consistent, boring, and repeatable:

  • 3–2–1 backup rule: Three copies, two media types, one offsite (preferably immutable or offline)
  • Regular backup testing, not just restores—simulate ransomware recovery regularly
  • Endpoint and ransomware protection tools tuned for behavior, not just signatures
  • Identity and access controls: principle of least privilege, MFA everywhere
  • Patching discipline, especially for the known CVEs mentioned above
  • Network segmentation to limit lateral movement
  • Perimeter hardening: reduce external exposure, secure remote access points

The gap between knowing and doing is where INC thrives. It’s not that defenders lack playbooks—it’s that they often lack the runway to implement them consistently across 800+ victims’ worth of activity.

If you’re reading this and thinking, our backups aren’t immutable or we haven’t patched that CVE in three years, you’re already in INC’s sweet spot. The group won’t change its tactics to outfox you—it’ll keep doing the boring stuff until your defenses catch up.

More blogs