Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023.
“The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations,” Acronis researcher Darrel Virtusio said. “United States organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology and health care among the most targeted sectors.”
INC’s Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts. Attacks deploying the ransomware are characterized by the use of an updated credential dumper capable of targeting newer Veeam backup deployments that use the salted DPAPI credential encryption.
What’s more, the sale of INC’s Windows and Linux variants on the cybercrime underground in May 2024 has led to the emergence of related ransomware families such as Lynx and Sinobi with “significant code overlap,” even as the brand has continued to evolve.
“INC ransomware affiliates utilize a diverse range of tools and techniques in targeting victims,” Acronis said. “In their latest campaigns, they continue to target unpatched edge devices for initial access, dump credentials from Veeam backup servers, and use a mix of LOLBins and commercial RMM tools to move through victim networks.”
The overall attack chain adopted by the double extortion crew is as follows –
- Obtain initial access via a wide range of methods, including spear-phishing, account credentials purchased from IABs, and the exploitation of vulnerabilities in public-facing applications such as Citrix Netscaler (CVE-2023-3519 and CVE-2025-5777), Fortinet EMS (CVE-2023-48788), and SimpleHelp (CVE-2024-57727).
- Extract sensitive credentials from the compromised environment.
- Use living-off-the-land binaries (LOLBins), such as remote desktop protocol (RDP) and PsExec, for lateral movement.
- Employ the bring your own vulnerable drive (BYOVD) technique using filwfp.sys, filnk.sys, fildds.sys to impair system defenses.
- Drop Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer for command-and-control.
- Exfiltrate data of interest using Rclone after staging them as password-protected archives.
- Run the encryptor and speed up the process using techniques like multithreading and partial encryption. The payload features a command-line interface that gives the operator more control during hands-on deployments. When it’s executed with the “–esxi” argument, it attempts to shut down virtual machines.
The findings show that ransomware groups can find success and scale up by following widely known techniques without having to lean on advanced tradecraft or bespoke tooling, effectively producing a steady stream of victims spanning various geographies and sectors. Data compiled by ZeroFox shows that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.
“INC continues to strengthen its ransomware operation through Rust-based payload rewrites and continuous toolkit enhancement, while carefully targeting industries such as health care, legal services, professional services, manufacturing, and construction where operational downtime creates strong financial pressure to pay,” Acronis said.
“This threat is further amplified because these sectors depend heavily on uninterrupted operations and supply chains, increasing the risk of collateral exposure across vendor networks and downstream partners when breaches occur.”
