Cybersecurity agencies across the Pacific region have raised concerns about the growing activity of the INC Ransom group, a ransomware operation increasingly targeting organizations in Australia, New Zealand, and nearby Pacific Island nations. A joint advisory issued by the Australian Cyber Security Centre (ACSC), New Zealand’s National Cyber Security Centre (NCSC), and Tonga’s National Computer Emergency Response Team (CERT Tonga) highlights how the group’s affiliate-driven ecosystem is expanding and posing a serious threat to regional networks.
The advisory aims to help both technical professionals and general IT defenders understand how the ransomware group operates, the methods its affiliates use to compromise networks, and the defensive measures organizations should adopt to protect themselves. Authorities are encouraging both government agencies and private organizations to review and implement the recommended security practices to reduce exposure to these attacks.
Understanding the INC Ransom Affiliate Model
A key aspect of the INC Ransom operation is its Ransomware-as-a-Service (RaaS) model. This structure allows independent cybercriminal affiliates to deploy the ransomware against victims while the core operators handle negotiations and ransom collection.
The group first emerged around mid-2023 and is believed to be financially motivated. Since then, it has built a network of affiliates who use the ransomware toolkit to attack organizations worldwide. Within this structure:
- Affiliates perform the initial intrusion and deploy the ransomware.
- Core operators manage communications with victims and collect ransom payments.
Threat intelligence sources also refer to the group by other names, including Tarnished Scorpion and GOLD IONIC.
Ransomware operations like INC Ransom have become increasingly attractive to cybercriminals because the affiliate model lowers the barrier to entry. Attackers no longer need to build ransomware themselves—they can simply use the tools provided by the service.
Why Healthcare Organizations Are Being Targeted
The advisory notes that the group often targets organizations that store sensitive or high-value data, particularly those operating in the healthcare sector. Healthcare providers are attractive targets because disruptions to their systems can severely impact patient care, which increases the pressure to resolve incidents quickly.
Although INC Ransom previously focused on victims in the United States and the United Kingdom, threat intelligence indicates that since early 2025 the group has increasingly shifted its attention toward Australia, New Zealand, and the Pacific region.
Incidents Linked to INC Ransom in Australia
Cybersecurity authorities in Australia have already documented several incidents associated with the group.
Between July 1, 2024, and December 31, 2025, the ACSC responded to 11 ransomware incidents linked to INC Ransom. These attacks mainly affected organizations in the professional services and healthcare sectors.
Since early 2025, analysts have observed affiliates targeting healthcare entities using compromised user accounts as an entry point. Once inside a network, attackers often:
- Escalate privileges by creating administrator-level accounts.
- Move laterally through the organization’s systems.
- Deploy malicious payloads to expand their control.
In some cases, the ransomware payload was delivered using a file named “win.exe.” Investigators also found evidence that attackers stole sensitive data, including personal and medical records, before initiating the encryption phase of the attack.
Victims typically encounter ransom notes directing them to the group’s Tor-based data leak site, where negotiations and payment instructions are provided.
The Tonga Ministry of Health Incident
One of the most notable incidents attributed to INC Ransom occurred on June 15, 2025, when the ICT environment of Tonga’s Ministry of Health was hit by a ransomware attack. The attack disrupted the country’s healthcare network and made several critical services inaccessible.
During the investigation, CERT Tonga discovered a ransom note linked to INC Ransom embedded within the ministry’s systems. The group later publicly claimed responsibility for the attack on June 26, 2025, through its dark-web data leak site.
When the victim organization refused to pay the ransom, the attackers released the stolen data online. The incident highlighted how ransomware attacks can directly impact essential public services and reinforced concerns about the group’s growing presence in the Pacific region.
How INC Ransom Affiliates Gain Access
Technical analysis by cybersecurity agencies has identified several common techniques used by INC Ransom affiliates to infiltrate networks.
The most frequently observed entry points include:
- Spear-phishing campaigns targeting employees
- Exploitation of unpatched internet-facing systems
- Compromised credentials purchased from access brokers
Once inside the network, attackers often rely on legitimate software tools to blend their activity with normal administrative operations. For example:
- 7-Zip and WinRAR are used to compress data before exfiltration.
- The file synchronization tool rclone is frequently used to transfer stolen data outside the victim network.
After data theft is completed, the ransomware is deployed to encrypt systems, and a ransom note is left instructing victims on how to proceed.
Recommended Defensive Measures
To help organizations defend against these attacks, the joint advisory outlines several key security practices.
1. Maintain reliable backups
Organizations should regularly back up critical systems and ensure those backups are stored securely and tested frequently.
2. Implement multi-factor authentication (MFA)
Using phishing-resistant MFA for internet-facing services and privileged accounts can significantly reduce the risk of unauthorized access.
3. Control privileged access
Administrative privileges should be strictly managed. Using unique accounts for administrators helps limit the damage if credentials are compromised.
Regional Collaboration Against Ransomware
The advisory represents an important example of cross-border cybersecurity collaboration among Australia, New Zealand, and Pacific nations. By sharing intelligence and coordinating responses, these agencies aim to better defend against ransomware groups that operate across multiple jurisdictions.
Affiliate-driven ransomware campaigns have dramatically lowered the barrier for cybercriminal activity, enabling attackers to rapidly shift their focus to new geographic regions. INC Ransom’s expansion into the Pacific demonstrates how distributed cybercrime networks can quickly adapt and target new victims.
For organizations in the region, strengthening access controls, monitoring network activity, and maintaining tested incident-response plans are essential steps in minimizing the impact of ransomware attacks.
