Acronis has identified INC as one of the world’s most active ransomware groups, with Australia among the countries most frequently named in its victim disclosures.
The findings suggest a shift in the ransomware market following disruption to major operations such as LockBit and the closure of BlackCat. Researchers said affiliates have moved to other platforms, helping newer groups expand quickly.
INC emerged as a ransomware-as-a-service operation in 2023 and has since claimed more than 800 victims globally. It has moved from relative obscurity to a prominent position in the cybercrime ecosystem, according to Acronis.
While the United States accounts for most disclosed victims, Australia remains among the countries most affected by the group. That leaves Australian organisations exposed to a ransomware operator that has expanded its reach as other gangs have come under pressure.
Technical shift
Researchers said INC has also changed its malware development approach. The Windows and Linux/ESXi versions of the ransomware have both been rewritten in Rust, a language that supports cross-platform development and can make analysis harder.
The group has also updated the tools used in attacks. In incidents examined by Acronis, researchers found a credential-dumping utility capable of extracting credentials from newer Veeam backup environments.
That focus on backup systems reflects a familiar ransomware tactic. By targeting recovery infrastructure, attackers can make it harder for victims to restore data without paying a ransom.
According to the research, INC uses a mix of opportunistic and targeted methods to gain entry. Initial access often comes through compromised credentials, phishing campaigns, or the exploitation of internet-facing vulnerabilities.
Once inside a network, attackers typically move through several stages, including reconnaissance, lateral movement, data exfiltration, and the deployment of encryption on selected environments.
Sector exposure
The sectors most often targeted by INC include legal services, manufacturing, technology, healthcare, and construction. These industries often face high costs from service disruption, which can increase pressure during an attack.
For Australian businesses, the country’s continued appearance in victim disclosures underlines the persistence of ransomware risk rather than a temporary spike. The broader pattern suggests that action against one major criminal group does not reduce the threat for long, as other operators absorb personnel, tactics, and know-how.
Darrel Virtusio, Threat Research Evangelist at Acronis, said Australia remains consistently exposed. “While the United States remains the primary target, Australia continues to appear among the most affected countries in INC ransomware victim disclosures,” he said.
He said the group’s growth showed how quickly the market can reorganise after disruption to dominant players. “The evolution of INC demonstrates how quickly ransomware operators can adapt following disruptions to major cybercriminal groups. We are seeing threat actors invest in more advanced tooling, expand affiliate networks and increasingly target technologies that organisations rely on for business continuity and recovery,” Virtusio said.
Acronis urged organisations to pay close attention to identity controls and remote access points. Its research highlighted backup security, multi-factor authentication, patching, and monitoring for credential theft as key defensive measures.
Virtusio also pointed to common weaknesses that still give attackers an opening. “Many ransomware attacks still begin with compromised credentials or unpatched internet-facing systems. Strengthening these areas remains one of the most effective ways to reduce overall ransomware risk,” he said.
Click Here For The Original Source.
