Experts in cybersecurity have traced the growth of INC from a fledgling ransomware-as-a-service (RaaS) group to one of the most active cybercriminal organizations in 2026, with a staggering 830 victims since August 2023.
“The fall of LockBit and the closure of BlackCat provided opportunities for INC to expand as members of other ransomware groups shifted to alternative operations,” noted Acronis researcher Darrel Virtusio. “Over 65% of the victims listed are based in the United States, with industries like legal services, manufacturing, construction, technology, and healthcare being prime targets.”
INC’s encryptors for Windows and Linux/ESXi have been revamped in Rust to streamline cross-platform development and enhance resistance to reverse engineering. Their attacks involving the ransomware feature an updated credential dumper designed to target newer Veeam backup setups using salted DPAPI credential encryption.
Furthermore, the release of INC’s Windows and Linux versions on the dark web in May 2024 has spawned similar ransomware variants like Lynx and Sinobi, sharing “significant code similarities,” while the INC brand continues to evolve.
The typical attack chain employed by the double extortion group is outlined below:
- Gain initial access through various methods such as spear-phishing, purchasing account credentials from illegal online marketplaces, and exploiting vulnerabilities in public-facing applications like Citrix Netscaler, Fortinet EMS, and SimpleHelp.
- Extract sensitive credentials from the compromised systems.
- Utilize living-off-the-land binaries (LOLBins) like RDP and PsExec for lateral movement.
- Utilize the bring your own vulnerable drive (BYOVD) technique to bypass system defenses.
- Deploy tools like Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer for command-and-control purposes.
- Extract valuable data using Rclone after encrypting them and staging as password-protected archives.
- Execute the encryptor and expedite the process through techniques like multithreading and partial encryption, with a command-line interface providing operators more control. The encryptor also attempts to shut down virtual machines when run with the “–esxi” argument.
The research indicates that ransomware groups can thrive and expand by employing well-known tactics without the need for advanced methodologies or custom tools, resulting in a steady influx of victims across different industries and regions. Data compiled by ZeroFox reveals that INC ransomware ranked fourth among prominent ransomware groups in Q1 2026, behind Qilin, Akira, and The Gentlemen, with over 120 incidents during that period.
“INC continues to enhance its ransomware operations through Rust-based payload revisions and ongoing toolkit improvements, strategically targeting sectors like healthcare, legal services, professional services, manufacturing, and construction where operational disruptions create financial pressure to meet ransom demands,” highlighted Acronis.
“The threat is compounded as these industries heavily rely on uninterrupted operations and supply chains, elevating the risk of collateral damage across vendor networks and downstream partners in the event of a breach.”
