INC ransomware has become one of the most active ransomware-as-a-service operations in 2026, with researchers counting at least 830 victims since August 2023. The group has grown rapidly, filling the vacuum left by the disruptions of LockBit and BlackCat.
“The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations,” said Acronis researcher Darrel Virtusio. US organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology, and healthcare among the most targeted sectors.
INC’s technical capabilities have evolved. Its Windows and Linux/ESXi encryptors have been rewritten in Rust, making cross-platform development easier and reverse engineering harder. The group uses an updated credential dumper that targets newer Veeam backup deployments with salted DPAPI credential encryption.
The attack chain is methodical. Initial access comes through spear-phishing, purchased credentials, or exploitation of known vulnerabilities in Citrix NetScaler, Fortinet EMS, and SimpleHelp. From there, affiliates dump credentials, move laterally using RDP and PsExec, and deploy Cobalt Strike, AnyDesk, or ScreenConnect for command-and-control. Data gets exfiltrated with Rclone before the encryptor runs.
INC’s success isn’t built on advanced tradecraft. It’s built on volume, known techniques, and targeting industries where downtime creates intense financial pressure to pay. The emergence of related families like Lynx and Sinobi — with significant code overlap — suggests the group’s tools have spread further through the cybercrime underground.
For Q1 2026, INC ranked as the fourth most prominent ransomware group behind Qilin, Akira, and The Gentlemen, with over 120 incidents in that period alone.
