Overview
INC ransomware emerged as a distinct ransomware-as-a-service brand in 2023, built on a familiar RaaS shape: a core group develops and maintains the encryptor, the leak site, and the negotiation infrastructure, and a network of affiliates performs the initial access, lateral movement, and exfiltration that precede the encryption event. Per public industry reporting and victim-disclosure trackers, INC has grown into one of the more prolific RaaS operations through 2024 and 2025, with a victim count commonly cited in the high hundreds to low thousands since the group's emergence. The exact victim counts are difficult to pin down because affiliates vary in their leak-site discipline and because victim self-reporting is uneven, but the trajectory in public reporting is consistent: INC is one of the operations that defenders in 2026 are watching closely.
INC's operational profile tracks the broader 2024-2026 RaaS pattern: a heavy reliance on initial-access brokers and on access obtained through edge appliances and remote-access tools, double-extortion as the default monetization model (encrypt the victim's files and threaten to leak the stolen data), and a willingness to target organizations across sectors when the access is available. The group does not appear to have a strong sector specialization in the way that some RaaS operations do, which makes the threat model broad: any organization with internet-reachable remote access, unpatched edge appliances, or credentialed exposure is a potential target.
The interesting part of INC's operation, from a defender perspective, is not the encryptor or the leak site. The interesting part is the affiliate behavior that precedes the encryption event. INC affiliates use the same toolkit family that other RaaS affiliates use: Cobalt Strike or similar loaders for command and control, Mimikatz and similar tools for credential extraction, living-off-the-land binaries for lateral movement, and any of the well-known credential-dumping and persistence techniques. The defender response that holds up is the defender response that holds up against any RaaS operation that uses this toolkit family, not a response specifically tailored to INC's encryptor.
TTPs
Initial access for INC affiliates tracks the same channels that other RaaS operations rely on: exposed remote-access services (RDP, VPN, Citrix, Fortinet SSL-VPN, Pulse Secure, and similar), exploited edge appliances (the FortiSandbox, Ivanti Sentry, FortiOS, and Palo Alto Networks incidents in 2024-2026 have all produced affiliate access at various points), stolen credentials purchased from initial-access brokers, and phishing-driven credential capture. The access is opportunistic: affiliates buy and use whatever access is available, and the affiliate's role is to convert that access into a position where the encryptor can be deployed at scale.
Once inside, INC affiliates use standard post-exploitation tradecraft. Discovery is via built-in Windows utilities (net, nltest, dsquery, ADExplorer) and the occasional commercial or open-source tool (BloodHound for Active Directory mapping, SharpHound for the same purpose). Credential dumping is via Mimikatz, Rubeus, or similar tools, with the dumped credentials stored for lateral movement and for the eventual encryption event. Lateral movement is via SMB, WinRM, RDP, and the abuse of any service account credentials that the operator can capture. Persistence is via scheduled tasks, services, registry run keys, and the abuse of legitimate remote-management tools that the victim already has deployed.
Exfiltration is the part that has become the operational centerpiece of modern RaaS, including INC. The affiliate's goal before encryption is to copy as much of the victim's data as possible to attacker-controlled infrastructure, because the double-extortion model depends on the threat to leak the data, not just to encrypt it. Exfiltration typically runs over the same channels the victim's network traffic uses (HTTPS to cloud storage, Mega, Dropbox, or similar), often staged to avoid the volume thresholds that would trigger an alert on a normal user account. The time between initial access and encryption is now commonly measured in weeks, which is the window in which the affiliate is mapping the environment, identifying the high-value data, and staging the exfiltration before the encryption event makes the victim aware that something is wrong.
Encryption itself is the part that gets the headlines, but by the time it runs, the affiliate has already won the operationally decisive part of the engagement. INC's encryptor, like other modern RaaS encryptors, is built for speed and scale: it enumerates reachable file shares and endpoints, encrypts in parallel, deletes shadow copies and backups where it can reach them, and leaves a ransom note with the contact and payment instructions. The encryption event is the affiliate's announcement that the operation has reached the monetization phase, not the start of the operation.
Known incidents
Public victim-disclosure trackers and industry reporting attribute several hundred incidents to INC since 2023, with the counts varying by tracker and by whether the tracker counts only leak-site postings or includes self-disclosed incidents. Sectors that appear prominently in INC reporting include healthcare, manufacturing, professional services, education, and local government, which is consistent with the broader RaaS pattern of targeting organizations with operational pressure to pay (healthcare, manufacturing downtime, public-sector disruption) and with weaker patch and backup postures than the financial sector.
The most useful public incidents for understanding INC's operational profile are not the largest; they are the ones where the affiliate's behavior before encryption was observed in enough detail to reconstruct the kill chain. The pattern that recurs across these incidents: initial access via an exposed or unpatched remote-access service, several weeks of quiet reconnaissance and credential harvesting, exfiltration of business-sensitive data (financial, customer, employee, operational), and then the encryption event. The detection opportunities are concentrated in the pre-encryption phase: the unusual authentication patterns, the credential dumping, the lateral movement, and the large outbound data transfers. The encryption event itself is the part that is hardest to stop once the affiliate is in position to run it.
Detection
Detection opportunities against INC and against RaaS operations of similar shape concentrate on the pre-encryption activity. The high-signal detection categories: unusual authentication patterns (logons at unusual times, from unusual geographies, with unusual user agents; impossible-travel; service accounts authenticating interactively); credential-dumping activity (LSASS access by non-antivirus processes, suspicious use of Mimikatz or Rubeus, suspicious access to the SAM and SECURITY registry hives); lateral movement (SMB and WinRM sessions between hosts that do not normally communicate, the use of administrative shares for file access, pass-the-hash and pass-the-ticket patterns); and exfiltration (large outbound data transfers, especially to cloud-storage destinations, especially by user accounts that do not normally transfer large volumes).
For organizations that operate honeypots or deception technology, INC's reconnaissance activity is a useful detection signal: any interaction with a deliberately-planted decoy file share, decoy credential, or decoy host is high-fidelity because the affiliate's normal activity does not include the decoy. The cost of deception technology is real but the signal-to-noise ratio is excellent for catching RaaS affiliates who are doing the kind of broad environment mapping that INC's playbook requires.
For organizations with less mature detection, the lowest-effort high-signal detection is on the authentication layer: alert on impossible-travel, on service-account interactive use, on bulk authentication failures from a single source, and on the use of any account that has not authenticated in a long time and suddenly starts authenticating heavily. These detections are cheap to implement, fire on most RaaS operations, and do not require deep endpoint visibility.
Recommendations
Practical recommendations for defenders against INC and against RaaS operations of similar shape cluster into three layers. At the identity layer: enforce phishing-resistant multi-factor authentication (FIDO2 or hardware tokens, not push or SMS) on every remote-access service, every VPN, every administrator account, and every account with privileged reach. Disable accounts that are no longer in use. Rotate service-account credentials on a schedule, and treat any interactive use of a service account as a high-priority alert. The identity layer is the most cost-effective place to reduce RaaS affiliate success.
At the application and network layer: patch edge appliances and remote-access services on a short cycle, treat any externally-reachable appliance as compromised until you can demonstrate otherwise, and restrict the network reachability of management interfaces to a tightly-controlled management subnet. Disable internet-exposed RDP, SMB, WinRM, and similar services wherever they are not operationally required. Monitor for outbound connections to cloud-storage and file-sharing destinations from hosts that do not normally have a business reason to make those connections, and treat large outbound data transfers as high-priority alerts.
At the operations layer: verify backups against ransomware-relevant failure modes (the backup must be offline or immutable, the restore must be tested, the backup must not be reachable from the same authentication path as the production environment), rehearse the response to a ransomware event in tabletop form, and have a communications plan in place before the encryption event makes communications urgent. The organizations that recover from a RaaS incident without paying are the ones that have tested the restore path and have the communications plan ready, not the ones that have the best encryptor-blocking detection.
For policymakers and law-enforcement-adjacent defenders, the leverage points are the affiliate network and the monetization infrastructure. Disrupting the affiliate recruiting pipeline, identifying and seizing the cryptocurrency wallets that the group uses for payment, and taking down the leak-site infrastructure are all parts of the same picture: a financial and operational pressure campaign that complements the technical defender work. INC's affiliate network, like that of other RaaS operations, is a soft target because affiliates are motivated by payment and will rotate to other operations if the monetization path is degraded.