"The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis researcher Darrel Virtusio said.
INC's rapid growth and victim profile: 830 victims since August 2023
Cybersecurity researchers report that INC has expanded from a nascent ransomware-as-a-service (RaaS) operation into one of the most prolific groups active in 2026, claiming at least 830 victims since August 2023. Data cited by researchers show United States organizations represent more than 65% of listed victims. Sectors repeatedly named among the most targeted include legal services, manufacturing, construction, technology and health care.
Technical evolution: Rust rewrites, cross-platform encryptors and Veeam targeting
INC’s encryptors for Windows and Linux/ESXi have been rewritten in Rust, a change researchers say was made to ease cross-platform development and increase resistance to reverse engineering. The operation also deployed an updated credential dumper that can target newer Veeam backup deployments that use salted DPAPI credential encryption.
Acronis researchers noted that the payload now features a command-line interface giving operators more hands-on control during deployments. When run with the "--esxi" argument, the encryptor attempts to shut down virtual machines; multithreading and partial-encryption techniques are used to accelerate the process.
Attack chain and tools: from public-facing vulnerabilities to BYOVD and Rclone exfiltration
Acronis outlined a consistent attack chain used by INC affiliates. Initial access is obtained by a wide range of methods — spear-phishing, credentials purchased from illicit access brokers (IABs), and exploitation of vulnerabilities in public-facing applications. Specific CVEs named in incident descriptions include CVE-2023-3519 and CVE-2025-5777 in Citrix NetScaler, CVE-2023-48788 in Fortinet EMS, and CVE-2024-57727 in SimpleHelp.
- After access, attackers extract sensitive credentials from the compromised environment.
- Lateral movement is achieved using living-off-the-land binaries (LOLBins) such as remote desktop protocol (RDP) and PsExec.
- INC affiliates employ a bring-your-own-vulnerable-drive (BYOVD) technique leveraging drivers filwfp.sys, filnk.sys and fildds.sys to impair system defenses.
- Tooling dropped into victim networks includes Cobalt Strike and remote-access tools AnyDesk, ScreenConnect and TeamViewer for command-and-control.
- Exfiltration is staged into password-protected archives and moved using Rclone; the encryptor is then run to complete double extortion operations.
Commercialization and spin-offs: sale in May 2024 and related families
INC’s code and tooling have been commercialized on underground markets. The sale of INC's Windows and Linux variants in May 2024 coincided with the emergence of related ransomware families—Lynx and Sinobi—with "significant code overlap" to INC, according to the research. The spread of INC-derived variants underscores how tooling sales can catalyze new families even as a brand continues to evolve.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Expect continued pressure from cross-platform Rust-based payloads and an updated credential dumper that specifically targets modern Veeam configurations using salted DPAPI; defenders will need to prioritize patching of the public-facing CVEs named and monitor for BYOVD techniques and Rclone traffic.
- Policymakers and regulators: The cited shift of affiliates following the disruption of other groups highlights how takedowns and shutdowns can reconfigure criminal markets; regulators tracking systemic risk in critical sectors such as health care and supply chains may see heightened exposure when ransomware groups pursue organizations where downtime creates payment pressure.
- Affected enterprises and procurement leaders: Organizations in professional services, legal, manufacturing and construction should assess downstream vendor exposure and the risk of collateral breach across supplier networks, given the operation’s targeting of sectors with high operational dependency on uninterrupted services.
Data compiled by ZeroFox placed INC as the fourth most prominent ransomware group in Q1 2026 — after Qilin (338 incidents), Akira (197) and The Gentlemen (192) — with INC accounting for over 120 incidents during that quarter. Acronis summed up the operation's trajectory: "INC continues to strengthen its ransomware operation through Rust-based payload rewrites and continuous toolkit enhancement, while carefully targeting industries such as health care, legal services, professional services, manufacturing, and construction where operational downtime creates strong financial pressure to pay."
INC’s rise illustrates a pragmatic lesson: prolific impact can come from iterative engineering and broad adoption of known techniques rather than exotic tradecraft. Whether its momentum continues will depend on how defenders respond to the specific vulnerabilities, tools and commercial dynamics named in these findings — and on how effectively patching, backup hardening and supply-chain scrutiny can cut off the avenues INC affiliates are exploiting.
