From Emergence to Dominance: INC Ransomware Surpasses 830 Victims and Strengthens Its RaaS Operations
INC Ransomware has rapidly evolved into one of the most active ransomware-as-a-service (RaaS) operations in 2026, claiming responsibility for more than 830 victims worldwide since its emergence in August 2023. Security researchers attribute its growth to a combination of aggressive affiliate recruitment, opportunistic targeting, and the disruption of major ransomware groups such as ALPHV/BlackCat and LockBit, which created opportunities for newer actors to expand their influence within the cybercrime ecosystem.
INC Ransomware has rapidly evolved into one of the most active ransomware-as-a-service (RaaS) operations in 2026, claiming responsibility for more than 830 victims worldwide since its emergence in August 2023. Security researchers attribute its growth to a combination of aggressive affiliate recruitment, opportunistic targeting, and the disruption of major ransomware groups such as ALPHV/BlackCat and LockBit, which created opportunities for newer actors to expand their influence within the cybercrime ecosystem.
Unlike many short-lived ransomware operations, INC has demonstrated sustained operational maturity through double-extortion tactics, cross-platform tooling, and a scalable affiliate-driven business model. The group has consistently targeted organizations across healthcare, manufacturing, education, government, and professional services sectors, making it one of the fastest-growing ransomware threats observed in recent years.
Background
INC Ransomware emerged in August 2023 as a financially motivated cybercriminal operation offering ransomware-as-a-service capabilities to affiliates. Initially operating with relatively low visibility, the group quickly gained momentum following law enforcement actions against several dominant ransomware syndicates.
Researchers assess that INC capitalized on the fragmentation of the ransomware landscape by attracting experienced affiliates displaced from dismantled operations. The group's ability to maintain a consistent attack tempo while expanding its victim portfolio has enabled it to become a significant player within the global ransomware ecosystem.
Vulnerabilities Details
| CVE ID | Vulnerability Type | Affected Product | CVSS Score |
|---|---|---|---|
| CVE-2023-3519 | Unauthenticated Remote Code Execution | Citrix NetScaler ADC and Citrix Gateway | 9.8 (Critical) |
| CVE-2025-5777 | Authentication Bypass / Session Hijacking | Citrix NetScaler ADC and Citrix Gateway | 9.3 (Critical) |
| CVE-2023-48788 | SQL Injection Leading to RCE | Fortinet FortiClient EMS | 9.3 (Critical) |
| CVE-2024-57727 | Path Traversal Leading to RCE | SimpleHelp RMM Platform | 7.5 (High) |
Attack Methodology
Phase 1: Initial Access
Attackers obtain access through compromised credentials, exposed remote services, phishing campaigns, or exploitation of vulnerable internet-facing systems.
Phase 2: Reconnaissance
Once inside the environment, operators perform network discovery to identify: Domain controllers, Backup infrastructure, Virtualization platforms, File servers, Sensitive business data repositories.
Phase 3: Credential Harvesting
INC actors deploy credential dumping and privilege escalation techniques to gain administrative access and expand their control across the network.
Phase 4: Lateral Movement
The attackers move laterally using legitimate administrative tools and compromised accounts, enabling access to critical systems and high-value assets. Commonly abused technologies include:Remote Desktop Protocol (RDP), PowerShell, PsExec, Windows Management Instrumentation (WMI), Remote administration utilities.
Phase 5: Data Exfiltration
Prior to encryption, sensitive data is exfiltrated to attacker-controlled infrastructure. Targeted information typically includes: Financial records, Intellectual property, Customer databases, Employee information, Legal and operational documents.
Phase 6: Ransomware Deployment
The ransomware payload is deployed across compromised systems, encrypting files and disrupting business operations. Victims receive ransom notes directing them to negotiation portals where operators threaten public disclosure of stolen data if payment demands are not met.
Phase 7: Extortion
Stolen information is published on dedicated leak sites to increase pressure on organizations unwilling to negotiate. This double-extortion strategy has become a core component of INC's operational model and significantly increases victim impact.
MITRE ATT&CK: Tactics and Techniques
| Tactic | ATT&CK ID | Technique |
|---|---|---|
| Initial Access | T1078 | Valid Accounts |
| Execution | T1059 | Command and Scripting Interpreter |
| Persistence | T1098 | Account Manipulation |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1018 | Remote System Discovery |
| Lateral Movement | T1021 | Remote Services |
| Collection | T1005 | Data from Local System |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Visual Attack Flow
Initial Access via Stolen Credentials or Vulnerability Exploitation → Internal Network Discovery → Credential Harvesting and Privilege Escalation → Lateral Movement Across Critical Systems → Sensitive Data Collection → Data Exfiltration to External Infrastructure → Enterprise-Wide Ransomware Deployment → File Encryption and Operational Disruption → Ransom Note Delivery → Data Leak Threats and Negotiation Process → Public Leak Site Publication if Payment Is Refused
Mitigation
- 1. Enforce Multi-Factor Authentication (MFA): Protect all remote access services, VPNs, privileged accounts, and administrative interfaces.
- 2. Eliminate Exposed Services: Restrict public exposure of RDP, VPN gateways, and remote management platforms.
- 3. Patch Internet-Facing Systems: Prioritize remediation of critical vulnerabilities in externally accessible applications and appliances.
- 4. Implement Network Segmentation: Limit lateral movement opportunities by separating critical infrastructure from user networks.
- 5. Monitor for Credential Abuse: Detect unusual authentication activity, privilege escalation attempts, and account misuse.
- 6. Secure and Test Backups: Maintain offline and immutable backups and regularly validate recovery procedures.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.