In a threat landscape increasingly defined by AI-assisted exploits and sophisticated supply chain attacks, the INC ransomware group has carved out a formidable position by doing the opposite of innovating: it masters the basics and targets sectors where the basics are catastrophically effective.
Active since at least late 2023, INC has accumulated a growing victim roster that skews heavily toward healthcare, education, and government — organisations that share a common vulnerability: they cannot afford to be offline. That operational pressure, not technical sophistication, is INC's primary weapon.
How INC Operates
INC's initial access playbook largely mirrors that of the broader ransomware-as-a-service (RaaS) ecosystem. Observed intrusion vectors include:
- Phishing campaigns targeting employees with credential-harvesting lures
- Exploitation of public-facing vulnerabilities in VPN appliances and remote desktop services
- Purchased credentials sourced from infostealer marketplaces such as Russian Market and 2easy
Once inside, INC operators demonstrate disciplined lateral movement, typically using Living-off-the-Land Binaries (LOLbins) — legitimate Windows utilities like WMI, PowerShell, and PsExec — to avoid triggering endpoint detection tools. The group is notably patient, spending time enumerating the network and identifying backup infrastructure before detonating ransomware.
The encryption payload targets a broad range of file types and deliberately terminates processes associated with backup software, antivirus engines, and database services to maximise disruption.
The Healthcare Focus
Healthcare is not incidentally represented in INC's victim list — it is strategically targeted. The reasoning is straightforward and well-documented by threat analysts: healthcare organisations face an asymmetric cost calculus when hit by ransomware.
Patient care systems going offline can mean delayed surgeries, diverted emergency patients, and an inability to access medication records. For hospital administrators, the choice between paying a ransom and watching patient outcomes deteriorate is not purely financial — it carries potential liability and, more viscerally, immediate human cost.
This coercive dynamic means healthcare targets are more likely to pay quickly and at higher amounts than equivalent organisations in other sectors. INC has allegedly collected ransoms in the millions from hospital systems and specialty care providers.
Beyond encryption, INC operates a data leak site and routinely exfiltrates sensitive patient information before deploying ransomware — a double-extortion approach that adds regulatory pressure (HIPAA violations, mandatory breach notifications) on top of operational disruption.
Recent Victims
INC has claimed attacks against healthcare providers in North America and Europe throughout 2025 and into 2026. Among the confirmed or claimed victims are hospital systems, specialty care networks, and clinical services providers. Exact attribution can be difficult to confirm given the group's operational security practices, but incident response firms including CrowdStrike, Mandiant, and Sophos have all documented INC intrusions.
The group does not appear to be a single tightly knit team — its affiliate model allows INC to scale through third-party operators who license the ransomware in exchange for a revenue cut, following the established RaaS pattern.
Why "Mastering the Basics" Is the Story
The INC case illustrates a pattern that the security community has struggled to effectively communicate to leadership teams: most ransomware incidents succeed not because of zero-day exploits or nation-state-grade tradecraft, but because of preventable failures in security fundamentals.
The attack chain — phishing succeeds, credentials are weak, MFA is absent, backups are reachable from the production network, lateral movement goes undetected — is not novel. It is repeated endlessly across organisations that have not addressed these exposures.
Key defensive measures that would disrupt INC's typical kill chain:
- Phishing-resistant MFA — hardware keys or passkeys instead of SMS/TOTP
- Privileged access workstations — isolate administrative credentials from the general user environment
- Immutable, offline or air-gapped backups — stored separately from the production network and tested regularly
- Network segmentation — limit lateral movement by restricting traffic between clinical systems, administrative networks, and backup infrastructure
- Endpoint detection and response (EDR) — with alert triage processes, not just deployment
- Vulnerability management — patch VPN appliances and remote access services promptly; these are primary INC entry points
The group's success is a market signal: it is profitable to operate against organisations that have not implemented security fundamentals. Until that changes, groups like INC will continue to thrive by doing exactly what they are already doing.