The Hacker News reported that INC ransomware has evolved into one of the most prolific ransomware-as-a-service operations in 2026.
Researchers said INC has claimed at least 830 victims since August 2023.
Acronis said United States organizations account for more than 65% of listed victims.
Targeted sectors include legal services, manufacturing, construction, technology, and healthcare.
INC’s Windows and Linux or ESXi encryptors have been rewritten in Rust to simplify cross-platform development and resist reverse engineering.
Recent attacks involve credential dumping from newer Veeam backup deployments that use salted DPAPI credential encryption.
The group uses spear-phishing, credentials bought from initial access brokers, and exploitation of public-facing applications for initial access.
INC affiliates use living-off-the-land binaries, RDP, PsExec, BYOVD drivers, Cobalt Strike, AnyDesk, ScreenConnect, TeamViewer, Rclone exfiltration, and ESXi-focused encryption options.
INC ransomware has rapidly emerged as one of the most active ransomware-as-a-service (RaaS) operations, demonstrating how modern threat groups continue to scale attacks through proven enterprise weaknesses rather than novel exploits alone. Its affiliates combine exposed edge infrastructure, stolen credentials, legitimate remote administration tools, and Rust-based ransomware encryptors to compromise Windows, Linux, and virtualized environments with increasing efficiency.
For enterprise security teams, INC’s growing activity reinforces a familiar reality: ransomware operators are succeeding by chaining together common security gaps across identity, endpoint, backup, and remote access infrastructure. As the group’s tactics continue to evolve, organizations need to strengthen detection, reduce attack surface exposure, and improve resilience against increasingly coordinated ransomware campaigns.
Rather than relying on a single intrusion technique, INC affiliates combine multiple access vectors to maximize their chances of compromising enterprise environments. Initial access commonly begins through spear-phishing campaigns, credentials purchased from initial access brokers (IABs), or the exploitation of internet-facing applications, including vulnerabilities affecting platforms such as Citrix, Fortinet, and SimpleHelp.
Once inside the network, the attackers establish persistence and expand their foothold using a combination of credential theft and legitimate administrative tools. Observed activity includes:
Credential dumping to obtain privileged accounts.
Lateral movement using RDP and PsExec.
Deployment of Cobalt Strike and legitimate remote management tools to maintain access and execute commands.
Bring Your Own Vulnerable Driver (BYOVD) techniques to disable or bypass endpoint security controls.
Staging sensitive data into password-protected archives before exfiltrating it with Rclone.
Encrypting Windows systems as well as Linux and VMware ESXi environments to maximize operational disruption.
Researchers also report that INC has rewritten its Windows and Linux/ESXi encryptors in Rust. Beyond enabling a more maintainable cross-platform codebase, Rust-compiled binaries can increase the complexity of static analysis and reverse engineering, making malware analysis and detection more challenging for defenders.
How to protect your business from ransomware
Protect your business from ransomware with proven security practices, endpoint management & employee awareness.
Reducing INC Ransomware Risk with Hexnode
The tactics employed by INC ransomware span the endpoint, identity, and infrastructure layers, making continuous visibility and centralized endpoint management essential for early detection and containment.
Hexnode XDR can help security teams identify malicious activity associated with the INC attack chain, including:
Credential dumping and attempts to harvest privileged credentials.
Abuse of remote administration tools and suspicious remote access activity.
Suspicious driver loading, including indicators associated with BYOVD techniques.
Lateral movement using administrative utilities such as RDP and PsExec.
Behavioral indicators consistent with ransomware encryption.
Complementing threat detection, Hexnode UEM can help strengthen an organization’s security posture by enabling administrators to:
Enforce patch compliance to reduce exposure to known vulnerabilities.
Apply endpoint hardening policies across managed devices.
Restrict unauthorized software through application control.
Support remote remediation and policy enforcement across Windows, Linux, macOS, and mobile devices from a centralized management console.
Key Takeaways for Enterprise Security Teams
INC’s rapid growth demonstrates that successful ransomware campaigns continue to capitalize on exposed internet-facing systems, compromised credentials, accessible backup infrastructure, and techniques designed to evade endpoint defenses. Rather than relying solely on zero-day exploits, many affiliates chain together well-known weaknesses to achieve enterprise-wide impact.
To reduce risk, security teams should prioritize:
Minimizing the external attack surface by patching and securing internet-facing applications.
Enforcing strong identity controls, including phishing-resistant MFA and least-privilege access.
Continuously monitoring and protecting backup infrastructure, ensuring backup credentials and repositories are isolated from production environments.
Detecting lateral movement, credential theft, and suspicious remote administration activity as early as possible.
Establishing rapid containment procedures that can isolate compromised systems before attackers progress from initial access to data exfiltration and ransomware deployment.
For defenders, the lesson is clear: reducing attack paths and accelerating detection and containment remain the most effective ways to disrupt modern ransomware operations before encryption begins.
Featured Resource
Hexnode UEM: An inside look
Look at how Hexnode UEM helps IT admins to manage and secure their corporate mobile devices.
INC’s rapid growth demonstrates that successful ransomware campaigns continue to capitalize on exposed internet-facing systems, compromised credentials, accessible backup infrastructure, and techniques designed to evade endpoint defenses. Rather than relying solely on zero-day exploits, many affiliates chain together well-known weaknesses to achieve enterprise-wide impact.
To reduce risk, security teams should prioritize:
Minimizing the external attack surface by patching and securing internet-facing applications.
Enforcing strong identity controls, including phishing-resistant MFA and least-privilege access.
Continuously monitoring and protecting backup infrastructure, ensuring backup credentials and repositories are isolated from production environments.
Detecting lateral movement, credential theft, and suspicious remote administration activity as early as possible.
Establishing rapid containment procedures that can isolate compromised systems before attackers progress from initial access to data exfiltration and ransomware deployment.
For defenders, the lesson is clear: reducing attack paths and accelerating detection and containment remain the most effective ways to disrupt modern ransomware operations before encryption begins.
Try Hexnode Free for 14 Days
Reduce ransomware risk with centralized endpoint security and management. Try Hexnode free today.
I’m a technical content writer at Hexnode who loves simplifying tech. I break down complex ideas, remove the fluff, and help readers clearly understand our product for what it actually is: simple, reliable, and built to solve real problems.
