INC ransomware has grown into one of the most active cybercrime groups in 2026, with a technical analysis saying it has claimed at least 830 victims since August 2023 and that U.S. organizations make up more than 65% of listed cases.
KEY FACTS
- Scale The group has been linked to 830 victims since August 2023.
- Targets Legal services, manufacturing, construction, technology and health care are among the most affected sectors.
- Methods Campaigns have used spear phishing, stolen credentials and exploits against public-facing applications.
- Tools The group has used Rust-based encryptors, LOLBins, Rclone and commercial remote management software.
The analysis says the ransomware operation expanded after disruption to LockBit and the shutdown of BlackCat, which pushed some affiliates toward other groups. INC’s Windows and Linux or ESXi encryptors have been rewritten in Rust, a change that can make cross-platform development easier and reverse engineering harder.
Attacks have also used an updated credential dumper aimed at newer Veeam backup deployments that use salted DPAPI credential encryption. The report says the group has continued to target unpatched edge devices, dump credentials from backup servers and move inside networks with tools such as RDP and PsExec.
Researchers said the group’s latest campaigns have also relied on bring your own vulnerable driver techniques, including filwfp.sys, filnk.sys and fildds.sys, to weaken defenses. Data theft has typically involved staging files as password-protected archives before exfiltration with Rclone, and the encryptor can shut down virtual machines when run with the –esxi argument.
ZeroFox data placed INC as the fourth most prominent ransomware group in the first quarter of 2026, behind Qilin, Akira and The Gentlemen, with more than 120 incidents during that period.
WHY IT MATTERS
The findings show that ransomware groups can scale quickly by using common attack methods against organizations that cannot afford long outages. That raises the risk of business disruption and supply chain exposure for victims and their partners.