In 2026, the INC ransomware group has emerged as a formidable threat in the cybercrime landscape, with a staggering 830 confirmed victims since its emergence in August 2023. This rapid rise is attributed to the void left by the disruption of other major ransomware operations, leading to a shift in affiliate alliances.
INC’s Expansion in the Cybercrime World
According to research from Acronis, the dismantling of LockBit and BlackCat provided INC with a strategic opportunity to expand its reach. Consequently, the group has targeted a diverse range of sectors, including legal services, technology, healthcare, and manufacturing, with a significant focus on organizations in the United States, which account for over 65% of their targets.
Acronis researcher Darrel Virtusio highlights that INC has enhanced its technical capabilities by rewriting their encryption tools in Rust. This programming language offers cross-platform functionality and strengthens resistance against reverse engineering, making it more challenging for defenders to counter their attacks.
Technical Evolution and New Ransomware Families
The cybercrime underground witnessed the sale of INC’s Windows and Linux ransomware variants in May 2024, leading to the creation of related ransomware families like Lynx and Sinobi. These variants share significant code similarities with INC, indicating a branching out of the original group while maintaining its core characteristics.
INC’s affiliates employ a variety of sophisticated methods to infiltrate networks. Their techniques include exploiting unpatched edge devices, extracting credentials from Veeam backup servers, and using a combination of LOLBins and commercial RMM tools for lateral movement within victim networks.
Comprehensive Attack Strategies
The attack strategy of INC involves several stages, starting with gaining initial access through spear-phishing, purchasing credentials, or exploiting vulnerabilities in public-facing applications. High-profile vulnerabilities targeted include those found in Citrix Netscaler and Fortinet EMS.
Once inside, attackers extract sensitive data, employ BYOVD techniques to bypass system defenses, and utilize tools like Cobalt Strike for command-and-control operations. The final step usually involves encrypting data using multithreading and partial encryption techniques, which are controlled through a command-line interface for precise execution.
INC’s effectiveness demonstrates how ransomware groups can leverage common tactics without relying on advanced techniques to maintain a steady stream of victims. According to ZeroFox, INC was the fourth most prominent ransomware group in early 2026, following Qilin, Akira, and The Gentlemen.
Future Implications and Sector Vulnerabilities
The relentless targeting of sectors like healthcare and manufacturing underscores the financial pressure these industries face due to operational downtime. Acronis warns that the ongoing evolution of INC’s toolkit, alongside its Rust-based payload rewrites, poses an increasing threat to industries heavily reliant on seamless operations.
The interconnected nature of these sectors means that breaches can have widespread consequences, affecting vendor networks and downstream partners. As INC continues to refine its approach, the risk of collateral damage across the supply chain becomes a critical concern for cybersecurity professionals.
