From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware
Essential information
- Published
- 17/06/2026 15:38
- Modified
- 17/06/2026 20:24
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- cobalt strike cve-2023-3519 cve-2023-48788 cve-2024-57727 cve-2025-5777 data-leak-site double-extortion encryption inc lynx raas ransomware-as-a-service rust-based sinobi veeam-credential-dumping vmware-esxi
- Tags
- 2026-06-17 CVE-2023-3519 CVE-2023-48788 CVE-2024-57727 CVE-2025-5777 cobalt strike data leak site double-extortion encryption inc lynx raas ransomware-as-a-service rust-based sinobi veeam-credential-dumping vmware esxi
- Related entities
- 4 vulnerabilities (cve), 25 indicators, 25 observables, 1 intrusion sets (apt), 19 techniques (mitre), 4 malware, 9 others
Description
INC has evolved from an emerging ransomware-as-a-service operation into one of the most active groups in 2026, claiming over 800 victims since 2023. The disruption of LockBit and BlackCat's shutdown created opportunities for INC to expand as affiliates migrated. Both Windows and Linux/ESXi encryptors have been rewritten in Rust, enabling cross-platform development and increasing analysis complexity. Recent incidents reveal updated tooling, including a modified credential dumper targeting newer Veeam backup deployments with support for salted DPAPI encryption. INC's influence extends beyond its operations; following the 2024 source code sale for $300,000, related families like Lynx and Sinobi emerged. United States organizations account for over 65% of victims, with legal services, manufacturing, construction, technology, and healthcare among the most targeted sectors.