On June 17, 2026, the Acronis Threat Research Unit published an unusual snapshot of the global ransomware landscape: INC, a group active since 2023, broke into ZeroFox's global top 5 with 124 incidents in Q1 2026. The surprise isn't the ranking — it's the method. No zero-day exploits, no proprietary vulnerabilities, just an operational machine that turns established intrusion techniques into hundreds of victims.
- INC has claimed over 800 victims since 2023, including 124 in Q1 2026 alone, entering ZeroFox's global top 5 for the first time.
- Intrusion vectors are well-known techniques: spearphishing, valid credentials sourced from initial access brokers, and exploitation of already-cataloged vulnerabilities — CVE-2025-5777, CVE-2024-57727, CVE-2023-3519, and CVE-2023-48788.
- The malware, rewritten in Rust to resist reverse engineering, is distributed via a RaaS model with low barriers to entry for affiliates.
- Source code was sold in 2024 to at least three buyers; Lynx and Sinobi are assessed as operators of derived variants.
How It Infiltrates: A Playbook That Discards Nothing
INC's intrusion chain presents no technical anomalies. According to the cited report, the group gains entry through targeted spearphishing, valid credentials obtained from initial access brokers, and exploitation of known, unpatched vulnerabilities in target environments. The four CVEs documented in the analysis span different products: Citrix Bleed 2 (CVE-2025-5777), SimpleHelp RMM (CVE-2024-57727), Citrix NetScaler (CVE-2023-3519), and Fortinet EMS (CVE-2023-48788).
Post-exploitation, the discovery phase relies on common tools: ping, cmd.exe, Advanced IP Scanner, netscan. Credential theft occurs via base64-encoded scripts. Lateral movement leverages binaries already present on the system — living-off-the-land — while defense evasion uses EDR killers. Command-and-control communication employs red team tools and commercial remote access solutions.
Data exfiltration culminates in compressed archives uploaded to attacker-controlled cloud storage. INC practices double extortion: system encryption coupled with threats to publish stolen data.
Why High-Pressure Sectors Are the Perfect Target
"What makes INC particularly effective is its focus on sectors where disruption creates immediate pressure to restore operations"
— Santiago Pontiroli, threat intelligence research lead, Acronis
INC's declared targets — manufacturing, legal services, healthcare, technology, construction, education — share a common trait: operational disruption carries immediate, visible costs. In healthcare, an hour of downtime can halt operating rooms. In just-in-time manufacturing, stopping one line freezes the supply chain. Pontiroli explicitly notes that sector selection isn't random; the pressure mechanism itself makes the extortion effective.
The preference for organizations with sensitive data further amplifies negotiating leverage. They don't need to encrypt everything; they just need something sufficiently sensitive to leave the network.
Scalability as a Weapon: The Researchers' Thesis
If one element distinguishes INC from competitors, it isn't technical sophistication but the ability to replicate attacks at scale. Pontiroli states the thesis bluntly: "If there's one factor that best explains the group's success, it's scalability." The RaaS model with low entry barriers allows many affiliates to join, each bringing their own initial access and targets.
The malware's transition to Rust confirms the operational orientation. The language provides reverse-engineering resistance and cross-platform compatibility — versions exist for Windows and Linux/ESXi — without requiring esoteric development skills. It's an investment in code longevity, not showmanship.
The other scalability driver is code commercialization. In 2024, the source code was sold to at least three parties. Lynx and Sinobi are identified as operators of derived variants. This horizontal diffusion amplifies INC's footprint without the original group directly expanding its own infrastructure.
Top List Volatility: Growth, Contraction, Reconsolidation
Adam Darrah, ZeroFox's vice president of intelligence, adds a cautionary note on reading INC's success linearly. The Q1 2026 leaderboard — Qilin (338 incidents), Akira (197), The Gentlemen (192), INC (124) ahead of Cl0p — masks an uneven dynamic. "INC's trajectory, however, has been uneven — the contraction in late 2025 followed by a Q1 2026 surge probably reflects affiliate churn and re-consolidation rather than sustained organic growth."
This pattern differentiates INC from Qilin, which maintains a more pronounced technical profile. Darrah observes that "although INC doesn't have that same technical profile on paper as let's say Qilin, its Q1 2026 numbers suggest it's attracting affiliate volume at a competitive rate regardless." The ability to attract affiliates becomes the competitive metric, not payload elegance.
Why It Matters
The dossier does not specify remediation measures or dedicated countermeasures for INC's operational model. No data emerges on actual ransom volumes paid, nor on average dwell time before encryption. The exact extent of affiliate churn remains unknown, as does the precise number of active operators in the network.
The report documents no geopolitical connections or state sponsorship. It also does not clarify whether victims are distributed globally or concentrated geographically, beyond the indication of "primarily US-based organizations."
Regarding technical comparison, the report explicitly states that INC presents a lower technical profile than groups like Qilin. Its rise does not invalidate this assessment; it simply proves that assessment insufficient as a sole predictor of impact.
For organizations, the message is structural. The techniques INC exploits — compromised credentials, unpatched systems, spearphishing — are the ones standard defenses should catch. The fact that a top-tier group emerges without zero-days doesn't diminish the threat; it concentrates it where defensive maturity traditionally lags.
Frequently Asked Questions
Does INC use obsolete techniques?
No. It uses established techniques — spearphishing, stolen credentials, exploitation of known vulnerabilities — that remain effective because corresponding defenses are not ubiquitous. The Acronis report explicitly emphasizes that effectiveness stems from systematic application, not novelty.
What is the difference between INC, Lynx, and Sinobi?
INC is the originating group. Lynx and Sinobi operate variants of the same source code, purchased in 2024. The dossier does not detail how these operators coordinate or compete for targets.
Why is Rust relevant for ransomware?
According to the cited report, the shift to Rust makes reverse engineering more difficult and enables compilation for multiple platforms from a single codebase. It's a maintainability and obfuscation choice, not an innovative offensive capability.
Information is based on the cited advisory and current as of publication.
Sources
- https://www.darkreading.com/cyberattacks-data-breaches/inc-ransomware-thrives-by-mastering-the-basics
- https://nvd.nist.gov/vuln/detail/CVE-2026-41940
- https://www.fortinet.com/resources/cyberglossary/national-vulnerability-database-nvd
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://nvd.nist.gov/vuln/detail/CVE-2026-20182
- https://nvd.nist.gov/vuln
- https://nvd.nist.gov/vuln/search
- https://nvd.nist.gov/vuln/categories
- https://nvd.nist.gov/vuln/data-feeds
- https://nvd.nist.gov/vuln/vendor-comments
Information is based on the cited source and current as of publication.