A ransomware group that was relatively unknown just a few years ago has rapidly emerged as one of the world’s most active cybercrime operations, according to new research from Acronis’ Threat Research Unit (TRU).
The report traces the rise of INC ransomware from its appearance in 2023 to its current position as a major global threat actor, with more than 800 victims reported worldwide. Researchers say the group’s growth has been fuelled by expanding affiliate networks, increasingly sophisticated attack methods and the disruption of rival ransomware operations.
According to the findings, law enforcement action against major ransomware groups such as LockBit, along with the collapse of BlackCat, created an opportunity for INC to attract experienced affiliates and expand its reach. This shift helped strengthen the group’s operations and accelerate its growth over the past three years.
One of the most notable developments highlighted in the report is INC’s migration to the Rust programming language for both its Windows and Linux/ESXi ransomware variants. Researchers say the change enables more efficient cross-platform development while making the malware harder to analyse and detect.
The group’s influence has also extended beyond its own attacks. Following the reported sale of INC’s source code in 2024, researchers observed the emergence of related ransomware strains, including Lynx and Sinobi, indicating a broader impact on the cybercriminal ecosystem.
Also read: AI talent growth spreads beyond metros as Tier-II cities contribute 20% of learners: Report
Acronis researchers also identified significant upgrades to INC’s attack toolkit. Recent campaigns have included a modified credential-dumping tool capable of extracting login information from newer Veeam backup environments by exploiting support for updated encryption methods.
The report found that INC operators continue to rely on a mix of attack techniques, including stolen credentials, phishing emails, exploitation of unpatched vulnerabilities and remote administration tools. Once inside a network, attackers move laterally, disable security controls and steal sensitive data before encrypting systems.
The United States remains the group’s primary target, accounting for more than 65% of recorded victims. Legal services, manufacturing, technology, healthcare and construction have emerged as the most frequently targeted sectors in 2026.
Researchers noted that these industries are particularly attractive because service disruptions can lead to severe operational, financial and reputational damage. This increases pressure on organisations to comply with ransom demands, especially when attackers use double-extortion tactics that combine data encryption with threats to publicly release stolen information.
To reduce exposure to ransomware threats, Acronis recommends a layered security approach that includes secure backups, endpoint detection and response tools, multi-factor authentication, stronger identity controls and regular employee awareness training. The company also stressed the importance of patching vulnerabilities quickly and segmenting networks to limit the spread of attacks.
First Published on
Click Here For The Original Source.
