Since its initial detection in August 2023, the INC Ransomware-as-a-Service (RaaS) operation has transformed from an obscure threat variant into one of the most destructive and scalable cybercrime enterprises in the modern digital threat landscape. By mid-2026, threat telemetry compiled by security researchers confirms that INC has claimed more than 830 unique victims globally. Rather than relying on highly exotic, unprecedented exploits, the group has systematically scaled its operations by mastering foundational tactical execution and exploiting macroeconomic shifts in the cybercrime underground. This operational maturity represents a highly calculated evolution, illustrating how a threat group can achieve multi-million-dollar monetization through operational discipline, refined developer support, and aggressive affiliate acquisition pipelines.

Underground Economics: Affiliate Migration and Industry Targeting Strategy

The meteoric rise of INC Ransomware is fundamentally intertwined with structural disruptions in the broader RaaS ecosystem. The law enforcement takedowns and operational disruptions targeting monolithic operations like LockBit, alongside the sudden cessation of ALPHV/BlackCat, generated a vast market vacuum. Stranded cybercrime affiliates sought out alternative, highly functional infrastructure to sustain their monetization pipelines, heavily fueling the growth of INC Ransomware. Telemetry reveals that by the first quarter of 2026, INC successfully broke into the global top five ransomware groups, ranking fourth with 124 recorded incidents, tracking closely behind Qilin (338), Akira (197), and The Gentlemen (192). Geographically, the threat is heavily concentrated within the United States, which accounts for over 65% of the total listed victims. INC strategically maps its targets to sectors where operational downtime correlates directly to immediate, intolerable financial and legal friction, such as manufacturing, construction, legal services, technology, and healthcare. High-profile incidents involving critical entities—such as the Scottish healthcare organization NHS Dumfries & Galloway and the Alder Hey Children’s Hospital in Liverpool—underscore a deliberate strategy to choose targets where public safety and operational continuity depend on rapid system restoration, heavily driving the urge to pay.

Weaponizing Edge Infrastructure: Initial Access and Vulnerability Exploitation

To establish a foothold within target perimeters, INC Ransomware affiliates exploit a robust combination of initial access vectors rather than a single technical pipeline. The group heavily utilizes Initial Access Brokers (IABs) to purchase pre-compromised corporate credentials, alongside launching targeted spear-phishing campaigns to harvest administrative authorization. However, their primary vector remains the exploitation of unpatched, public-facing edge devices and applications. Affiliates systematically scan for known and emerging vulnerabilities, frequently weaponizing Citrix Netscaler via CVE-2023-3519 and CVE-2025-5777, Fortinet EMS through CVE-2023-48788, and SimpleHelp remote access software using CVE-2024-57727. By capitalizing on these specific software flaws, attackers bypass perimeter defenses to achieve remote code execution (RCE) or arbitrary file upload capabilities. This approach minimizes the need for advanced or custom zero-day exploits, capitalizing instead on structural patching delays within mid-to-enterprise-level target infrastructure.

Internal Reconnaissance, Defense Evasion, and Lateral Movement

Once inside the corporate perimeter, INC affiliates implement a pragmatic, highly effective discovery and evasion playbook. Initial asset discovery relies on vanilla diagnostic commands executed through cmd.exe, standard network pings, and widely available tools like Advanced IP Scanner and netscan. To execute credential dumping without triggering Endpoint Detection and Response (EDR) platforms, the group utilizes an updated credential dumper specifically optimized to harvest data from modern Veeam backup deployments, successfully bypassing salted Data Protection API (DPAPI) credential encryption mechanisms. Additionally, base64-encoded scripts are routinely used to extract local authentication secrets. To neutralize host-based security controls, INC utilizes the aggressive Bring Your Own Vulnerable Driver (BYOVD) technique. By deploying legitimate but inherently flawed kernel-mode drivers—specifically filwfp.sys, filnk.sys, and fildds.sys—the operators leverage administrative permissions to terminate EDR processes directly from the kernel space. Lateral movement across the internal subnet is then accomplished via Living-off-the-Land Binaries (LOLBins) and administrative utilities, minimizing the risk of behavioral detection by relying on legitimate features like Remote Desktop Protocol (RDP) and PsExec. Command and Control (C2) persistence is maintained through a combination of sophisticated red team utilities and commercial Remote Monitoring and Management (RMM) software, including Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer.

Double Extortion and the Rust-Based Payload Architecture

INC Ransomware enforces a strict double-extortion framework, ensuring monetary leverage even if the target possesses functional data backups. Prior to executing the cryptographic payload, target files are identified, consolidated, packaged into password-protected archives, and systematically exfiltrated via Rclone to attacker-controlled cloud storage repositories. The underlying encryption malware has undergone an extensive engineering evolution, transitioning from legacy languages to a unified Rust-based codebase for both its Windows and Linux/ESXi variants. Rust offers a distinct dual advantage: it drastically accelerates multiplatform cross-compilation while generating highly optimized, compiled binaries that complicate automated reverse-engineering and signature-based detection. The payload is heavily multi-threaded and utilizes partial encryption to maximize the speed of data destruction, rendering systems unusable before defensive intervention can occur. The executable also features a robust command-line interface providing hands-on operators with fine-grained control; notably, passing the --esxi argument explicitly triggers commands to identify, unmount, and terminate guest virtual machines running on VMware ESXi hypervisors, expanding the blast radius to cross-enterprise virtualization layers. The quality and marketability of this architecture were demonstrated when INC’s core source code was sold to at least three independent threat actors on the underground market, subsequently birthing spin-off ransomware strains like Lynx and Sinobi, which retain significant code overlap.

Mitigating the Threat: Comprehensive Cyber Resilience Frameworks

Defending against a threat as operationally disciplined as INC Ransomware requires abandoning reactive security postures in favor of strict cyber hygiene and architecture hardening. Enterprise defenses must include the rigorous implementation of the 3-2-1 backup strategy, which demands maintaining three total copies of organizational data across two distinct media types, with at least one copy stored strictly offsite. Crucially, backup repositories must be structurally isolated—either completely offline or configured as immutable data storage—to prevent ransomware operators from deleting historical data streams. Furthermore, backups must be subjected to ongoing automated restoration drills to validate recovery times. Organizations must enforce strict network segmentation to limit lateral movement, combine endpoint protection tools with continuous identity and access management controls (such as phishing-resistant multi-factor authentication), and establish rigorous patch management pipelines to close public-facing edge exposures before IABs can exploit them.

Our Opinion on the INC Ransomware Case

The evolution of INC Ransomware offers a profound lesson for modern enterprise cybersecurity: novelty is no longer a prerequisite for devastating cybercriminal success. INC’s trajectory demonstrates that mastering operational scaling and exploiting structural vacuums can create an existential threat just as effectively as a sophisticated zero-day exploit. By transitioning to a Rust-based, multi-threaded codebase and engineering explicit commands like --esxi, the group has optimized its destructive throughput across diverse computing environments. This structural adaptation represents a major paradigm shift for enterprise defense teams globally.

Furthermore, their pragmatic initial access strategy—focusing on well-known edge vulnerabilities like CVE-2023-3519 and CVE-2025-5777—exposes a persistent industry weakness: the failure of organizations to rapidly patch public-facing architecture. What makes INC particularly alarming is its business-centric approach to target selection. By focusing aggressively on high-pressure domains like healthcare, manufacturing, and legal services, INC weaponizes operational downtime as financial leverage. The group’s resilience against law enforcement disruptions targeting competitors highlights an adaptive, corporate-style agility. This operational shift fundamentally redefines the modern corporate threat matrix. Ultimately, INC proves that contemporary ransomware has matured into a highly industrialized software-as-a-service market. Organizations can no longer defend against this threat by looking exclusively for sophisticated technical anomalies; instead, they must harden foundational architecture through strict immutability, zero-trust configurations, and immediate patching protocols.