Summary
INC ransomware has grown into a major ransomware-as-a-service operation, claiming more than 800 victims since 2023. The group uses Rust-based encryptors for both Windows and Linux/ESXi systems, which increases the difficulty of malware analysis. Its operators rely on double-extortion tactics and focus on high-value sectors such as healthcare and legal services.
Investigation
The Acronis Threat Research Unit analyzed the INC intrusion chain and observed a shift toward exploiting unpatched edge devices and attacking Veeam backup servers. Technical analysis showed that the Windows payload is protected with VMProtect 3.X, while the Linux version targets VMware environments through commands such as vim-cmd. The investigation also found code similarities with related ransomware families, including Lynx and Sinobi.
Mitigation
Organizations should adopt the 3-2-1 backup strategy and ensure that backups include immutable or offline copies to support recovery. Deploying EDR or XDR with anti-tamper protections and enforcing multi-factor authentication is essential. Prioritizing patching of internet-facing applications and segmenting critical networks can also reduce the impact of a compromise.
Response
If INC ransomware activity is detected, responders should isolate affected systems immediately to halt lateral movement and stop encryption. Backup integrity should be verified before restoration begins, and incident response procedures should focus on identifying the initial access vector. Teams should also monitor for data exfiltration attempts involving tools such as rclone.
