Since August 2023, the INC ransomware-as-a-service (RaaS) operation has rapidly ascended to prominence, amassing over 830 victims. This surge is largely attributed to the dismantling of major ransomware groups like LockBit and BlackCat, which prompted affiliates to seek alternative platforms, with many gravitating towards INC.
INC’s operations have predominantly targeted organizations in the United States, accounting for more than 65% of their listed victims. The sectors most affected include legal services, manufacturing, construction, technology, and healthcare. To enhance their capabilities, INC has transitioned their Windows and Linux/ESXi encryptors to the Rust programming language. This shift not only facilitates cross-platform development but also bolsters resistance against reverse engineering efforts.
In May 2024, INC’s Windows and Linux variants were made available for purchase on cybercrime forums. This commercialization has led to the emergence of related ransomware families, such as Lynx and Sinobi, which share significant code similarities with INC. The group’s affiliates employ a diverse array of tools and techniques to compromise their targets. Recent campaigns have focused on exploiting unpatched edge devices for initial access, extracting credentials from Veeam backup servers, and utilizing a combination of living-off-the-land binaries (LOLBins) and commercial remote monitoring and management (RMM) tools for lateral movement within networks.
The typical attack sequence employed by INC affiliates includes:
- Gaining initial access through methods like spear-phishing, purchasing credentials from initial access brokers (IABs), or exploiting vulnerabilities in public-facing applications such as Citrix Netscaler (CVE-2023-3519 and CVE-2025-5777), Fortinet EMS (CVE-2023-48788), and SimpleHelp (CVE-2024-57727).
- Extracting sensitive credentials from the compromised environment.
- Utilizing LOLBins, such as Remote Desktop Protocol (RDP) and PsExec, for lateral movement.
- Employing the ‘bring your own vulnerable driver’ (BYOVD) technique using drivers like filwfp.sys, filnk.sys, and fildds.sys to disable system defenses.
- Deploying tools like Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer for command-and-control operations.
- Exfiltrating data using Rclone after staging them as password-protected archives.
- Executing the encryptor, which supports multithreading and partial encryption to expedite the process. When run with the ‘–esxi’ argument, it attempts to shut down virtual machines.
These findings underscore that ransomware groups can achieve significant success by leveraging well-known techniques without relying on advanced tradecraft or custom tools. This approach has enabled them to consistently victimize organizations across various geographies and sectors. Data from ZeroFox indicates that in the first quarter of 2026, INC ransomware was the fourth most active group, following Qilin (338 incidents), Akira (197), and The Gentlemen (192), with over 120 incidents attributed to INC during this period.
INC’s rapid rise highlights the adaptability and resilience of ransomware operations. As law enforcement agencies dismantle existing groups, new ones quickly emerge to fill the void, often utilizing similar tactics and tools. This cycle underscores the importance of robust cybersecurity measures, regular system updates, and comprehensive employee training to mitigate the risk of ransomware attacks.
