EXECUTIVE SUMMARY
INC ransomware operates as a ransomware‑as‑a‑service platform run by an affiliate network that originated in Eastern Europe. The group delivers pure ransomware attacks, employing double‑extortion to force payment and public data leakage. Since 2023 it has focused on the United States, where legal services, manufacturing, technology, health‑care and construction firms represent the bulk of victims, while smaller numbers of incidents appear in Australia, Canada, Germany and Taiwan. The attackers’ primary objective is to encrypt critical data, steal confidential files, and pressure organizations into paying the ransom.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
INC ransomware operates as a ransomware‑as‑a‑service platform run by an affiliate network that originated in Eastern Europe. The group delivers pure ransomware attacks, employing double‑extortion to force payment and public data leakage. Since 2023 it has focused on the United States, where legal services, manufacturing, technology, health‑care and construction firms represent the bulk of victims, while smaller numbers of incidents appear in Australia, Canada, Germany and Taiwan. The attackers’ primary objective is to encrypt critical data, steal confidential files, and pressure organizations into paying the ransom.[emaillocker id="1283"]
Initial access is typically achieved through phishing emails, compromised credentials sold on the dark web, or exploitation of unpatched edge devices and remote‑management services. Once a foothold is gained, the operators deploy a credential‑dumping script that extracts Veeam backup passwords, then move laterally using legitimate admin tools to locate high‑value servers. The ransomware payload, written in Rust, encrypts files on Windows workstations and Linux/ESXi hosts, deletes shadow copies, and simultaneously exfiltrates selected data to a remote server. Persistence is maintained via scheduled tasks and encrypted command‑and‑control channels that blend with normal network traffic.
The threat is significant because the group targets high‑profile enterprises, couples encryption with data theft, and uses a Rust‑based binary that evades many static detection methods. Victims often discover the breach only after critical systems are locked, leaving little time for recovery and increasing the likelihood of paying. Organizations should adopt a layered defence: enforce timely patching of all internet‑facing assets, segment networks to isolate backup infrastructure, require multi‑factor authentication for privileged accounts, and maintain immutable, offline backups that are regularly tested. Continuous monitoring for unusual credential‑dumping activity and restricting remote‑admin tools further reduces exposure.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566 | Phishing | — |
| Initial Access | T1078 | Valid Accounts | — |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Credential Access | T1003 | OS Credential Dumping | — |
| Discovery | T1018 | Remote System Discovery | — |
| Discovery | T1046 | Network Service Discovery | — |
| Lateral Movement | T1210 | Exploitation of Remote Services | — |
| Exfiltration | T1020 | Automated Exfiltration | — |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/inc-ransomware-uses-rust-based-windows/
https://www.acronis.com/en/tru/posts/from-emerging-threat-to-top-tier-ransomware-as-a-service-the-evolution-of-inc-ransomware/