Researchers Publish Findings on INC Ransomware-as-a-Service Activity: 830+ Victims

Another RaaS profile lands on defenders' desks — detection-engineering review for the week.

Share
Flat white line-art of a large magnifier over a document beside a simple lock and a tally counter card, on a Charcoal background — INC ransomware-as-a-service research disclosure.

Key Takeaways

  • Researchers at the Acronis Threat Research Unit (TRU) published a profile of INC, a ransomware-as-a-service (RaaS) operation, documenting more than 830 victims listed on its data-leak site since the group emerged in 2023.
  • The research places INC among the most active ransomware operations of 2026 and reports that United States organizations account for roughly 65 percent of listed victims, with legal services, manufacturing, technology, health care, and construction the most-targeted sectors.
  • For defenders the disclosure is a detection-engineering and sector-advisory item, not a fresh breach: it consolidates published indicators and tactics into a profile that security teams in the affected sectors can map against their own monitoring coverage.

Another RaaS profile lands on defenders' desks — detection-engineering review for the week.

SCHAFFHAUSEN, SWITZERLAND — Researchers at the Acronis Threat Research Unit (TRU) on June 17, 2026 published a detailed profile of INC, a ransomware-as-a-service (RaaS) operation that has grown from an emerging strain in 2023 into one of the most active ransomware brands of 2026. The report documents more than 830 victims listed on the group's data-leak site since it first appeared, and frames INC as a case study in how a RaaS operation can scale through familiar techniques rather than novel malware. For security teams, the publication arrives as a research-disclosure and detection-engineering item: a consolidated picture of an established threat, accompanied by published indicators that defenders can review against their own coverage.

The findings, which were also reported by The Hacker News and Dark Reading, position INC alongside the other high-volume ransomware operations defenders have tracked this year. It is the latest in a run of RaaS profiles to reach analysts' desks, following coverage of The Gentlemen and the broader churn of affiliate-based extortion crews. The practical question for most organizations is not whether INC is new — it is not — but whether the controls and detections already in place would catch the behaviors the research describes.

At a Glance
FieldDetails
OperationINC ransomware
ModelRansomware-as-a-service (RaaS), double extortion
Victims since 2023More than 830 listed on the data-leak site
Disclosed byAcronis Threat Research Unit (TRU)
Key sectorsLegal services, manufacturing, technology, health care, construction
StatusActive; among the most prolific RaaS operations of 2026

What the Research Published

The Acronis Threat Research Unit's report traces INC from its emergence in 2023 to its current standing as one of the most active ransomware-as-a-service (RaaS) operations of 2026. Discovered in mid-2023, INC operates a semi-private, affiliate-based model built around double extortion — the now-standard pairing of file encryption with the theft and threatened publication of victim data. According to the research, the operation has listed more than 830 victims on its data-leak site since it first appeared — a count of public listings on the group's own leak site rather than a verified total of compromised organizations — a tally that nonetheless places it firmly inside the top tier of ransomware brands tracked this year.

The researchers frame INC's rise less as a story of technical innovation than as one of scale through familiar methods. The report notes that the disruption of LockBit and the shutdown of BlackCat created openings in the ransomware ecosystem, and that affiliates and tooling migrated toward operations like INC in the aftermath. The disclosure also documents INC's wider influence on the landscape: following a reported 2024 sale of its source code, the research — as reported by The Hacker News — describes related strains, among them Lynx and Sinobi, emerging with significant code overlap, a lineage that has been documented by multiple research teams.

On the technical side, the report records that INC's Windows and Linux/ESXi encryptors have been rewritten in Rust, a change the researchers say eases cross-platform development and complicates analysis. The substance for defenders, though, sits in the report's victimology and indicators rather than in any single capability. The publication consolidates years of activity into one profile, and it is that consolidation — a named operation, a documented sector footprint, and a set of published indicators — that gives security teams something concrete to work from.

Sector-Advisory Posture for Organizations in the Affected Sectors

The research is most actionable for organizations in the sectors INC targets most heavily. The report identifies legal services, manufacturing, technology, health care, and construction as the leading sectors for 2026, a shift from the group's earlier concentration on education and health care. United States organizations account for roughly 65 percent of listed victims, with a long tail that the researchers describe as spanning Australia, Canada, Germany, and Taiwan among others.

For a law firm, manufacturer, or health system, the appropriate reading of a disclosure like this is sector-advisory: treat it as a prompt to confirm that baseline controls are in place, not as a signal of an imminent, targeted campaign. The research itself emphasizes that INC's intrusions rely on opportunistic methods — stolen or purchased credentials, phishing, and the exploitation of unpatched internet-facing services — rather than bespoke access. That profile is consistent with the broader pattern in which vulnerability exploitation and credential abuse dominate the initial-access stage across the ransomware ecosystem.

The practical implication is that the controls that blunt INC are the same controls that blunt most affiliate-driven extortion: multifactor authentication on remote access, prompt patching of edge devices and public-facing applications, and tested, offline or immutable backups. Acronis's own recommendations in the report center on these fundamentals — the 3-2-1 backup rule, endpoint detection and response, identity controls, network segmentation, and a disciplined patch program. None of that is specific to INC, which is precisely why a sector-advisory posture treats the disclosure as confirmation to verify existing hygiene rather than as a call for a one-off response to a single brand.

Detection-Engineering Review per the Published Indicators

Where a research disclosure becomes operational is in the detection-engineering review it enables. The Acronis report — characterized by Dark Reading as an operation that thrives by mastering the basics — publishes a set of indicators of compromise: file hashes for the Windows and Linux/ESXi payloads, network indicators for the group's leak-site and negotiation infrastructure, and YARA rules authored to match the Rust-compiled samples. For a detection engineer, the first pass is mechanical: ingest the published hashes and network indicators, confirm they are represented in current detection content, and check that any matching telemetry would surface for review rather than scroll past unexamined.

The more durable value lies a level above the indicators. Atomic indicators like hashes age quickly as operators recompile, so the stronger engineering exercise is to map the behaviors the research describes onto existing detections and ask where coverage is thin. The report documents an attack chain built largely from legitimate and dual-use tooling — discovery with built-in commands and common scanners, credential access against backup servers, lateral movement over standard remote-administration channels, and data staging before encryption. Each stage corresponds to detection opportunities that do not depend on recognizing INC specifically.

That behavior-first framing is the point of reviewing a profile like this. The published YARA rules and hashes give teams a quick way to confirm coverage of the known samples, but the lasting work is verifying that the tactics generalize: would unusual credential access against backup infrastructure generate a signal, are common scanning and remote-access tools monitored where they should not normally run, and would large-scale data staging or sudden encryption activity be caught early. A disclosure that prompts those questions has done its job regardless of how long any individual indicator stays current.

Coordination With Sector ISACs

Because INC's footprint clusters in identifiable sectors, the disclosure is also a natural input for the Information Sharing and Analysis Centers (ISACs) that serve those industries. ISACs exist to move exactly this kind of consolidated threat profile to the organizations most likely to need it, translating a vendor report into sector-specific advisories and shared detection content. Legal, health care, and manufacturing communities each maintain channels through which a profile like this can be circulated, contextualized, and matched against members' own observations.

For an individual organization, the coordination angle is twofold. The first is consumption: confirming that the security team receives and reviews relevant ISAC advisories, so a profile published by one research vendor reaches the people who tune detections and prioritize patching. The second is contribution: an organization that observes activity consistent with the published indicators can report it back through its ISAC, helping to validate or extend the picture the research describes. That two-way flow is what turns a single vendor disclosure into shared situational awareness across a sector.

None of this requires treating INC as exceptional. The value of routing the disclosure through sector channels is that it reaches defenders in a form they can act on — advisories framed for their industry, detection content vetted by peers, and a feedback loop that improves the collective picture over time. That is the ordinary, healthy lifecycle of a research disclosure, and it is how a profile of an established operation earns its place on the week's review list.

Open Questions

Several points are worth keeping in view without overstating them. The 830-plus figure reflects victims listed on INC's own data-leak site, a number the research presents as a count of public listings rather than a verified total of compromised or paying organizations; leak-site tallies are a useful proxy for activity but are not a precise measure of impact. The lineage between INC and related strains such as Lynx and Sinobi is described as code overlap following a reported source-code sale, and while that overlap has been documented by multiple teams, the exact relationships among the operators remain a matter of ongoing threat-intelligence analysis rather than settled fact.

What the disclosure does not assert is as important as what it does. The research does not name specific recent victims, claim figures for proceeds collected, or report indictments or arrests tied to the operation — and defenders should not infer any of those from the profile. The durable takeaway is narrower and more useful: an active RaaS operation with a documented sector footprint and a published set of indicators now sits in front of security teams, and the right response is the unglamorous one — verify backups and identity controls, review detection coverage against the published behaviors, and route the profile through the relevant sector channels. That is consistent with how defenders have handled prior enforcement and disclosure milestones, including the sentencing of a Karakurt negotiator earlier this year, where the practical work for organizations was confirming fundamentals rather than reacting to a single name.


The CyberSignal Analysis

The reported facts above are Acronis TRU's; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.

Signal 01 — INC Thrives by Mastering the Basics, Not Inventing Them

The most useful frame for this profile is the one the research itself keeps circling: INC scaled not by inventing novel malware but by executing familiar tradecraft at volume. Stolen credentials, phishing, and unpatched internet-facing services carry the intrusions; a Rust rewrite of the encryptor is a maintenance choice, not a breakthrough. Our reading is that treating INC as a distinct threat to be countered brand-by-brand misreads the operation. It is better understood as a competent assembler of commodity techniques, which means the defenses that blunt it are the ones that blunt the entire affiliate-driven extortion field.

That reframing has a budgeting consequence. If the operation's edge is disciplined use of fundamentals, the defender's edge has to come from the same place — identity controls, patch cadence on edge devices, and tested backups — rather than from chasing a signature unique to one RaaS brand. A profile of an operation that masters the basics is, in effect, an argument for spending on the basics.

Signal 02 — Leak-Site Counts Measure Noise, Not Verified Compromise

The headline figure of more than 830 victims is a count of listings on INC's own data-leak site, and that distinction is worth holding onto. Leak-site tallies are a serviceable proxy for how active an operation is, but they are published by the extortionists themselves and are not a verified accounting of compromised, encrypted, or paying organizations. Our assessment is that defenders should read the 830-plus number as a signal of throughput and reach, not as a precise measure of impact — a duplicate, a stale entry, or an unpaid-ransom pressure tactic all inflate the same tally.

The practical caution is against letting a large round number drive triage. The right response to a high leak-site count is not alarm proportional to the figure but confirmation that the behaviors behind it — the credential abuse and edge exploitation the research describes — are covered. The count tells you an operation is busy; it does not tell you your own exposure, and the two should not be conflated.

Signal 03 — Detect the Fundamentals, Because the Indicators Age Faster Than the Behaviors

The published hashes and YARA rules are the perishable part of this disclosure. Operators recompile, and a Rust-built payload can be reissued faster than a detection keyed to its hash stays valid — which is precisely why the durable engineering work sits a level above the atomic indicators. Our view is that the lasting value of a profile like this is the behavior chain it documents: discovery with built-in tooling, credential access against backup servers, lateral movement over standard remote-administration channels, and bulk data staging before encryption.

For a detection engineer, the actionable interpretation is to test coverage against those stages rather than to bank on the indicator list. Would anomalous credential access to backup infrastructure raise a signal; are common scanners and remote-access tools monitored where they should not run; would large-scale staging or sudden encryption surface early. Detections built to those questions keep working after INC's next recompile, and they generalize to whatever brand fills the space when this one fades.


Sources

TypeSource
PrimaryAcronis Threat Research Unit — The evolution of INC ransomware
ReportingThe Hacker News
ReportingDark Reading
RelatedThe CyberSignal — The Gentlemen Ransomware: 478 Victims, Worm-Like Spread
RelatedThe CyberSignal — Karakurt Negotiator Sentenced to 102 Months