INC ransomware has rapidly evolved from a relatively new ransomware as a service (RaaS) operation into one of the most active cybercrime groups in 2026, with cybersecurity researchers estimating that it has claimed more than 830 victims worldwide since August 2023. According to findings from Acronis, the group has significantly expanded its reach following the disruption of LockBit and the shutdown of BlackCat, creating opportunities to attract affiliates seeking alternative ransomware platforms. Organizations in the United States account for more than 65 percent of the victims listed by the group, with legal services, manufacturing, construction, technology, and healthcare emerging as the most frequently targeted sectors.
Researchers noted that INC has continued to refine its malware capabilities, including rewriting both its Windows and Linux/ESXi ransomware encryptors in Rust. The transition is believed to support easier cross platform development while making the malware more resistant to reverse engineering efforts. Acronis researcher Darrel Virtusio stated that the group has also enhanced its credential theft capabilities through an updated credential dumper designed to target newer Veeam backup deployments that use salted DPAPI credential encryption. In addition, the sale of INC’s Windows and Linux ransomware variants on underground cybercrime forums in May 2024 contributed to the emergence of related ransomware families, including Lynx and Sinobi, which researchers say share significant portions of the original code base. Despite the appearance of these offshoots, INC has continued to strengthen and expand its own operations.
The group’s attacks are characterized by a combination of widely used cybercriminal tactics and a growing toolkit that enables affiliates to compromise enterprise environments. According to Acronis, recent campaigns have focused heavily on exploiting unpatched edge devices to gain initial access. Victims have been targeted through spear phishing campaigns, credentials purchased from Initial Access Brokers, and the exploitation of vulnerabilities affecting public facing applications such as Citrix NetScaler, Fortinet EMS, and SimpleHelp. After gaining access, attackers extract sensitive credentials and move laterally across networks using living off the land binaries such as Remote Desktop Protocol and PsExec. Researchers also observed the use of the bring your own vulnerable driver technique, leveraging drivers including filwfp.sys, filnk.sys, and fildds.sys to weaken or disable security defenses. To maintain command and control access, affiliates deploy tools such as Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer before collecting and staging sensitive information for exfiltration through Rclone using password protected archives.
Once valuable data has been extracted, the attackers deploy the ransomware payload, which incorporates features such as multithreading and partial encryption to accelerate the encryption process. The malware includes a command line interface that provides operators with greater control during hands on attacks. When executed with the “–esxi” argument, the ransomware attempts to shut down virtual machines to maximize operational disruption. Researchers said the continued growth of INC highlights how ransomware groups can scale their activities by relying on established attack methods rather than highly sophisticated or custom built tools. Data from ZeroFox identified INC as the fourth most active ransomware group during the first quarter of 2026, recording more than 120 incidents and trailing only Qilin, Akira, and The Gentlemen. Acronis warned that the threat remains particularly significant for sectors such as healthcare, legal services, professional services, manufacturing, and construction, where operational downtime can create strong financial incentives to meet ransom demands. The researchers also cautioned that attacks against these industries can have broader consequences, increasing the likelihood of exposure across supply chains, vendor ecosystems, and downstream business partners.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
