INC ransomware has rapidly evolved from an emerging threat in mid-2023 to one of the most formidable ransomware operations globally. With over 800 victims worldwide, it now ranks among the top ransomware groups this year. Operating under a Ransomware-as-a-Service (RaaS) model, INC recruits affiliates and provides them with ready-made tools to execute attacks on a large scale.
The group’s continuous technical enhancements have made its operations more elusive and capable of targeting a broader spectrum of industries. Initially focusing on healthcare and education sectors, INC has expanded its reach to legal services, manufacturing, construction, and technology. This strategic shift targets industries under regulatory scrutiny, increasing the likelihood of swift ransom payments.
Security analysts have observed significant developments in INC’s arsenal. Both its Windows and Linux/ESXi encryptors have been completely rewritten in Rust, indicating a commitment to cross-platform attack capabilities. Additionally, the group has upgraded its credential theft tools and streamlined its affiliate program to attract new operators.
INC employs a double extortion strategy, combining file encryption with the threat of publicly releasing stolen data. Victims who refuse to pay face not only operational disruptions but also potential exposure of sensitive information on INC’s data leak site, amplifying legal and reputational risks.
Following the disruption of its source code seller in 2024, related ransomware families like Lynx and Knoba have emerged, sharing significant code similarities with INC. This suggests that the original codebase continues to proliferate across various ransomware operations, even as INC advances its campaigns.
INC Ransomware’s Rust-Based Encryptors
A notable advancement in INC’s toolkit is the complete rewrite of its Windows and Linux/ESXi payloads in Rust. This programming language facilitates native cross-platform development, enabling the group to maintain a single codebase while targeting diverse system environments. Rust’s compilation patterns also complicate analysis, as many traditional security tools struggle to quickly identify its binaries.
The updated Windows encryptor now automatically retrieves database connection settings from the registry and utilizes a zero SQL server to target Veeam backup deployments. It includes a fallback encryption routine for newer Veeam versions and formats output for automated parsing, enhancing operational reliability. The Linux/ESXi variant focuses on VMware infrastructure by identifying active volumes and distinguishing between local fixed disks and removable mapped network shares to optimize encryption speed. Both encryptors employ a partial encryption routine based on file size to expedite the process.
INC’s adoption of Rust for its encryptors reflects a broader trend among ransomware groups seeking to enhance their cross-platform capabilities and evade detection. This development underscores the need for organizations to implement robust, multi-layered security measures and stay vigilant against evolving cyber threats.
