Cybersecurity researchers have released a detailed analysis of the INC ransomware group's rise from an obscure ransomware-as-a-service (RaaS) operation to one of the most active extortion gangs of 2026, with over 830 confirmed victims since its debut in August 2023. The group's growth has been accelerated by the operational vacuum left by the disruption of LockBit and the voluntary shutdown of BlackCat (ALPHV).
INC Ransomware: Background
INC Ransom first emerged in August 2023 with a data-leak site and a focus on targeted, big-game hunting attacks against mid-market and enterprise organizations. Unlike many RaaS groups, INC initially maintained relatively tight affiliate controls while still operating the standard double-extortion model — encrypting files and threatening to publish stolen data if ransoms aren't paid.
Key characteristics of INC operations:
- Initial access via exploitation of public-facing vulnerabilities, VPN credential abuse, and phishing
- Dwell time of days to weeks before encryption to maximize data exfiltration
- Selective targeting of healthcare, education, manufacturing, and critical infrastructure
- Data leak site used to apply pressure against non-paying victims
Explosive Growth in 2026
The research documents a significant acceleration in INC activity coinciding with the collapse of competing RaaS programs:
- LockBit's disruption by Operation Cronos in February 2024 left hundreds of affiliates without a platform
- BlackCat's exit scam in March 2024 after the Change Healthcare attack scattered experienced affiliates
- INC's recruitment of battle-hardened operators from these defunct groups drove a surge in attack volume through 2025-2026
The group now claims more than 830 victims across its leak site, with healthcare and education sectors disproportionately represented — consistent with INC affiliates inherited from LockBit operations that favored those verticals.
Technical Profile
INC ransomware targets both Windows and Linux/ESXi environments. The encryptor supports several operational modes:
| Mode | Description |
|---|---|
| Full encryption | Complete file encryption for maximum impact |
| Fast mode | Partial encryption for speed in time-pressured operations |
| Network shares | Explicit targeting of mapped drives and UNC paths |
The group has been observed using legitimate remote access tools for lateral movement including AnyDesk and legitimate system administration utilities, making detection harder against normal IT activity.
Notable Victims
Among INC's claimed victims in the past year are healthcare systems, school districts, and manufacturing firms across North America and Europe. The group notably attacked:
- Multiple US healthcare networks, causing operational disruptions to patient care
- Educational institutions during exam periods to maximize pressure
- Professional services firms holding sensitive client data
Defensive Recommendations
With INC emerging as a primary ransomware threat for 2026, organizations should prioritize:
- Patch externally exposed services — especially VPN concentrators, RDP, and web applications
- Enforce MFA on all remote access points without exception
- Segment networks to prevent lateral movement from initial access to domain controller compromise
- Monitor for INC TTPs: PowerShell-based reconnaissance, use of
wmic, and Cobalt Strike or Brute Ratel C4 for post-exploitation - Immutable backups that cannot be reached or encrypted by domain-level access
- Incident response retainer — INC moves fast once inside a network
The RaaS Vacuum Effect
INC's growth illustrates a persistent pattern in the ransomware ecosystem: dismantling a major group doesn't eliminate the threat actors — it disperses experienced operators who reorganize under new brands or join growing operations. Law enforcement disruptions of LockBit and BlackCat effectively served as a recruiting pipeline for INC and similar groups like Medusa, Qilin, and RansomHub.
Addressing ransomware at the ecosystem level remains an unsolved problem for law enforcement and policy makers.
Source: The Hacker News