{"id":1367,"date":"2026-06-18T17:33:04","date_gmt":"2026-06-18T17:33:04","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=1367"},"modified":"2026-06-18T17:33:04","modified_gmt":"2026-06-18T17:33:04","slug":"inc-ransomware-emerges-as-major-raas-threat-in-2026-with-830-victims-since-2023","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=1367","title":{"rendered":"INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Jun 18, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Enterprise Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2MOms1DiyvYE-L_zXvrgrL_4cDaNBZwrhVFPq7ee58uPMORAF9v60xW8_QZbjJ05C34E2F5u9xKXBal4_DbVvUjcg8aDAvQ9iKSgWss6vnvlk4f1tgLYwb3a5xNc6T3lbGeE1pcTf35vf320No6XzS4mkw_5dTTILKfc0w6VpcTHX5VitEodFJBKMWzjA\/s1700-e365\/ransomware-malware.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than <a href=\"https:\/\/www.ransomware.live\/group\/incransom\">830 victims<\/a> since August 2023.<\/p>\n<p>\u00abThe disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations,\u00bb Acronis researcher Darrel Virtusio <a href=\"https:\/\/www.acronis.com\/en\/tru\/posts\/from-emerging-threat-to-top-tier-ransomware-as-a-service-the-evolution-of-inc-ransomware\/\">said<\/a>. \u00abUnited States organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology and health care among the most targeted sectors.\u00bb<\/p>\n<p>INC&#8217;s Windows and Linux\/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts. Attacks deploying the ransomware are characterized by the use of an updated credential dumper capable of targeting newer Veeam backup deployments that use the salted DPAPI credential encryption.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-cant-stop-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>What&#8217;s more, the sale of INC&#8217;s Windows and Linux variants on the cybercrime underground in May 2024 has led to the emergence of related ransomware families such as Lynx and Sinobi with \u00absignificant code overlap,\u00bb even as the brand has continued to evolve.<\/p>\n<p><a name=\"more\"\/><\/p>\n<p>\u00abINC ransomware affiliates utilize a diverse range of tools and techniques in targeting victims,\u00bb Acronis said. \u00abIn their latest campaigns, they continue to target unpatched edge devices for initial access, dump credentials from Veeam backup servers, and use a mix of LOLBins and commercial RMM tools to move through victim networks.\u00bb<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiqPTGxSXZTN0e0k8D6ScI-T8E25uYwpEY2rAB_YZ4KlV9OrIXParlR-OO6Uk3oagHfyTp4QxuFbbBFAPGljdGrkyAGQNxVDqjisMSA2CoslMIAF3O4cSuX-IMgM7BuuT32JRhoF3kQHEuOBchfnvpjvihPuIdsJEk4esOT3dFQIilekt3LNWAS5VksFF0Y\/s1700-e365\/inc.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiqPTGxSXZTN0e0k8D6ScI-T8E25uYwpEY2rAB_YZ4KlV9OrIXParlR-OO6Uk3oagHfyTp4QxuFbbBFAPGljdGrkyAGQNxVDqjisMSA2CoslMIAF3O4cSuX-IMgM7BuuT32JRhoF3kQHEuOBchfnvpjvihPuIdsJEk4esOT3dFQIilekt3LNWAS5VksFF0Y\/s1700-e365\/inc.jpg\" alt=\"\" border=\"0\" data-original-height=\"386\" data-original-width=\"1000\"\/><\/a><\/div>\n<p>The overall attack chain adopted by the double extortion crew is as follows &#8211;<\/p>\n<ul>\n<li>Obtain initial access via a wide range of methods, including spear-phishing, account credentials purchased from IABs, and the exploitation of vulnerabilities in public-facing applications such as Citrix Netscaler (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2023-3519\">CVE-2023-3519<\/a> and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2025-5777\">CVE-2025-5777<\/a>), Fortinet EMS (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2023-48788\">CVE-2023-48788<\/a>), and SimpleHelp (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-57727\">CVE-2024-57727<\/a>).<\/li>\n<li>Extract sensitive credentials from the compromised environment.<\/li>\n<li>Use living-off-the-land binaries (LOLBins), such as remote desktop protocol (RDP) and PsExec, for lateral movement.<\/li>\n<li>Employ the bring your own vulnerable drive (BYOVD) technique using filwfp.sys, filnk.sys, fildds.sys to impair system defenses.<\/li>\n<li>Drop Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer for command-and-control.<\/li>\n<li>Exfiltrate data of interest using Rclone after staging them as password-protected archives.<\/li>\n<li>Run the encryptor and speed up the process using techniques like multithreading and partial encryption. The payload features a command-line interface that gives the operator more control during hands-on deployments. When it&#8217;s executed with the \u00ab&#8211;esxi\u00bb argument, it attempts to shut down virtual machines.<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-threat-report-m\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFlTC7RrRZGiFAgASS0noWSL0qsQGFVp8-Hvuw9yp3X3VKRuTcb5SsPX09wJzrdIM6pu1_5lS4EeZp7Sx4iYBpNJkrGnpr08yyaS1HQ5_5TxaCsP6O0OtHNuOkesn6CbNjao1GPulCJk-uljYMSfMZfBYNrngpe669t7jlRn1FqiEnXhsFD1WVkpaYIVgh\/s728-e100\/ai-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The findings show that ransomware groups can find success and scale up by following widely known techniques without having to lean on advanced tradecraft or bespoke tooling, effectively producing a steady stream of victims spanning various geographies and sectors. Data compiled by ZeroFox <a href=\"https:\/\/www.zerofox.com\/intelligence\/q1-2026-ransomware-wrap-up\/\">shows<\/a> that INC ransomware emerged as the fourth most prominent ransomware group in Q1 2026 after Qilin (338), Akira (197), and The Gentlemen (192), accounting for over 120 incidents during the time period.\u00a0<\/p>\n<p>\u00abINC continues to strengthen its ransomware operation through Rust-based payload rewrites and continuous toolkit enhancement, while carefully targeting industries such as health care, legal services, professional services, manufacturing, and construction where operational downtime creates strong financial pressure to pay,\u00bb Acronis said.<\/p>\n<p>\u00abThis threat is further amplified because these sectors depend heavily on uninterrupted operations and supply chains, increasing the risk of collateral exposure across vendor networks and downstream partners when breaches occur.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Jun 18, 2026Vulnerability \/ Enterprise Security Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in&hellip;<\/p>\n","protected":false},"author":1,"featured_media":1368,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1126,1117,763,93,171,1340],"class_list":["post-1367","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-emerges","tag-major","tag-raas","tag-ransomware","tag-threat","tag-victims"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1367"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/1367\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/1368"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}