INC ransomware is a financially motivated ransomware-as-a-service (RaaS) operation that has been active since mid-2023 and is assessed to be evolving into a successor strain known as Lynx. The operation poses a significant risk to medium-sized and large enterprises globally. INC operators conduct targeted, human-operated intrusions using phishing, stolen or brokered credentials, and exploitation of internet-facing vulnerabilities. Following initial access, attackers perform credential theft, lateral movement, and data exfiltration prior to deploying ransomware across Windows, Linux, and VMware ESXi environments. The group employs a double-extortion model, combining system encryption with the threat of data leakage to increase pressure on victims. Reducing operational and financial impact depends on early detection, strong identity and access controls, timely vulnerability remediation, resilient backup strategies, and well-practiced incident response capabilities.
INC ransomware is a human-operated ransomware-as-a-service threat that gains initial access through phishing campaigns, credential theft, and exploitation of exposed internet-facing services. Once access is established, operators conduct hands-on reconnaissance using legitimate administrative tools to enumerate users, systems, and critical infrastructure. Credential dumping, lateral movement, and privilege escalation are used to obtain elevated or domain-level access.
Attackers rely on tools such as Mimikatz, PsExec, WMI, and remote access utilities to propagate laterally across Windows, Linux, and VMware ESXi environments. Backup systems and security controls are deliberately targeted to weaken recovery capabilities before encryption. To support double extortion, sensitive data is staged, compressed, and exfiltrated to external or cloud-based storage services before ransomware deployment. Encryption is executed across local, network-attached, and virtualized storage using partial, multi-threaded encryption. File contents are encrypted using AES-128 in CTR mode, with Curve25519 elliptic-curve cryptography used for key protection. Ransom notes and data leak threats are delivered through Tor-based infrastructure.
INC ransomware operators obtain initial access through phishing campaigns, compromised credentials sourced from underground markets, or exploitation of exposed internet-facing vulnerabilities. Frequently exploited vulnerabilities include CVE-2023-3519 affecting Citrix NetScaler and CVE-2023-48788 impacting Fortinet
FortiClient EMS. In some cases, access is acquired from initial access brokers, allowing operators to bypass early intrusion stages and immediately initiate internal activity. The infection chain is typically observed as follows:
The technical capabilities observed in INC ransomware operations are consistent with mature, human-operated ransomware campaigns. The malware supports encryption of Windows, Linux, and VMware ESXi systems, enabling impact across heterogeneous enterprise environments. Partial encryption is employed to increase operational disruption while reducing execution time by encrypting only critical portions of files. File contents are encrypted using AES-128 in CTR mode, while Curve25519 elliptic-curve cryptography is used to protect encryption keys.
The ransomware executes in a multi-threaded manner and dynamically adjusts execution based on available CPU resources to accelerate encryption. Encrypted files are appended with extensions associated with INC or Lynx variants, and ransom notes are distributed across impacted systems. To evade detection and maintain control, operators primarily rely on legitimate administrative tools and commonly available third-party utilities. Credential dumping is performed using tools such as Mimikatz, while PsExec, WMI, and remote access utilities are used for lateral movement and persistence. Security and recovery mechanisms are deliberately degraded through termination of endpoint protection, deletion of volume shadow copies, modification of boot configurations, and theft of backup credentials. Data is exfiltrated before encryption, frequently via cloud-based file transfer services, enabling sustained double-extortion pressure during ransom negotiations.
INC is assessed as a financially motivated ransomware-as-a-service operation with no verified state sponsorship. Its tactics, techniques, and operational characteristics align with those commonly observed in established human-operated ransomware ecosystems. Reports of the INC source code being offered for sale in 2024 coincided with the emergence of the Lynx ransomware variant, which exhibits notable code and behavioral overlap. This activity suggests a direct evolutionary progression rather than the appearance of an unrelated threat actor.
INC ransomware continues to target medium-sized and large organizations across manufacturing, healthcare, information technology, and professional services sectors. The majority of publicly reported incidents have occurred in the United States, the United Kingdom, Canada, Australia, and Europe, with increasing activity observed in the Middle East. Campaigns demonstrate deliberate victim selection and reconnaissance, and no confirmed incidents have been publicly reported within Russia or CIS countries.
INC ransomware represents a persistent and evolving threat capable of causing significant operational and financial disruption. Its use of double extortion, deliberate targeting of domain infrastructure and backup systems, and continued evolution into the Lynx variant underscore the importance of treating these strains as a single threat family. Early detection, strong credential security, effective vulnerability management, resilient backup strategies, and rehearsed ransomware-specific incident response capabilities remain essential to minimizing impact and preventing full environment compromise.
Successful INC ransomware attacks result in widespread system encryption, extended operational disruption, and the potential exposure of sensitive or regulated data. Double extortion significantly increases financial, legal, and reputational risk, particularly for organizations handling customer, patient, or critical infrastructure data. Targeting domain controllers and backup systems complicates recovery efforts and prolongs business interruption.
