Full Report
Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023. "The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis
Analysis Summary
# Threat Actor: INC Ransomware (INC Ransom)
## Attribution & Identity
- **Name:** INC Ransomware (INC)
- **Aliases:** INC Ransom
- **Actor Type:** Ransomware-as-a-Service (RaaS) operation.
- **Associations:** Associated with former affiliates of major disrupted groups such as **LockBit** and **BlackCat (ALPHV)**. The group serves as a primary alternative for cybercriminals displaced by law enforcement actions against larger syndicates.
## Activity Summary
- **Operational Timeline:** Active since at least August 2023.
- **Expansion:** Transitioned from a nascent operation to a top-tier prolific threat by 2026.
- **Growth Driver:** Exploited a power vacuum in the RaaS market following the disruption of the "Big Two" (LockBit and BlackCat), leading to a rapid influx of experienced affiliates.
- **Total Impact:** Claimed at least 830 victims since its inception.
## Tactics, Techniques & Procedures
- **Ransomware-as-a-Service (RaaS):** Utilizes an affiliate model where the core developers provide the malware and negotiation infrastructure in exchange for a percentage of the ransom.
- **Double Extortion:** (Inferred) As a prolific RaaS group, they engage in exfiltrating sensitive data before encryption to leverage against victims who refuse to pay for decryption.
- **Affiliate Migration Patterns:** Incorporates diverse TTPs brought in by displaced affiliates from other major ransomware brands.
## Targeting
- **Sectors:** Cross-sector targeting; significant focus on industries previously targeted by LockBit and BlackCat affiliates.
- **Geography:** Global operations with a high volume of victims reported in Western economies.
- **Victims:** Over 830 documented victims; specific organizational names were not disclosed in the provided text.
## Tools & Infrastructure
- **Malware:** INC Ransomware variants (evolved from August 2023 codebase).
- **Communication:** Tor-based leak sites and negotiation portals.
- **Infrastructure:** Decentralized affiliate-run infrastructure for initial access and lateral movement.
## Implications
- **Market Consolidation:** INC's rise demonstrates the "hydra effect" in the cybercrime ecosystem; law enforcement pressure on primary groups can inadvertently fuel the growth of mid-tier groups.
- **Increased Professionalism:** The migration of veteran affiliates means INC likely possesses high-level capabilities in network penetration and negotiation.
- **Threat Escalation:** Its status as a "prolific" group in 2026 suggests a high operational tempo that poses a continuous threat to enterprise organizations.
## Mitigations
- **Phishing Defense:** Strengthen credential security through FIDO2-based Multi-Factor Authentication (MFA) to prevent initial affiliate access.
- **Vulnerability Management:** Prioritize patching of edge-facing equipment (VPNs, Firewalls) frequently exploited by RaaS affiliates.
- **Data Resiliency:** Maintain offline, immutable backups to counter encryption, and develop a robust Data Loss Prevention (DLP) strategy to mitigate extortion risks.
- **Monitor for Lateral Movement:** Implement EDR/XDR solutions to detect common post-exploitation tools used by migrating affiliates (e.g., Cobalt Strike, Rclone, PowerShell scripts).