Cybersecurity firm **Acronis** has detailed the significant growth of **INC** ransomware, highlighting its transformation from a nascent operation into a dominant force in the cybercrime landscape. **Darrel Virtusio**, an **Acronis** researcher, noted that the void left by the takedowns of **LockBit** and **BlackCat** provided **INC** with a fertile ground for expansion, attracting new affiliates. ### Targeted Sectors and Geographic Reach The United States has been disproportionately affected, accounting for over 65% of **INC**'s listed victims. Key sectors under attack include legal services, manufacturing, construction, technology, and healthcare—industries where operational downtime can incur severe financial pressure. ### Evolving Toolset and Tactics **INC**'s **Windows** and **Linux/ESXi** encryptors have been redeveloped in **Rust**, a move designed to facilitate cross-platform compatibility and enhance resistance against reverse engineering. The group's attacks are also characterized by an updated credential dumper capable of targeting newer **Veeam** backup deployments that utilize salted **DPAPI** credential encryption. Furthermore, the sale of **INC**'s **Windows** and **Linux** variants on the cybercrime underground in May 2024 has led to the emergence of related ransomware families, such as **Lynx** and **Sinobi**, which exhibit significant code overlap. **Acronis** observes that **INC** affiliates employ a diverse array of tools and techniques. Recent campaigns continue to exploit unpatched edge devices for initial access, exfiltrate credentials from **Veeam** backup servers, and leverage a combination of Living-Off-the-Land Binaries (**LOLBins**) and commercial Remote Monitoring and Management (**RMM**) tools for network traversal.  ### Common Attack Chain The typical attack chain employed by the **INC** double extortion group involves several phases: * **Initial Access**: Achieved through methods such as spear-phishing, purchasing account credentials from Initial Access Brokers (**IABs**), and exploiting vulnerabilities in public-facing applications. Notable vulnerabilities include **Citrix Netscaler** (**CVE-2023-3519** and **CVE-2025-5777**), **Fortinet EMS** (**CVE-2023-48788**), and **SimpleHelp** (**CVE-2024-57727**). * **Credential Extraction**: Harvesting sensitive credentials from the compromised environment. * **Lateral Movement**: Utilizing **LOLBins** like **RDP** and **PsExec**. * **Defense Evasion**: Employing the Bring Your Own Vulnerable Driver (**BYOVD**) technique with drivers such as `filwfp.sys`, `filnk.sys`, and `fildds.sys` to disable system defenses. * **Command and Control (C2)**: Deploying tools like **Cobalt Strike**, **AnyDesk**, **ScreenConnect**, and **TeamViewer**. * **Data Exfiltration**: Using **Rclone** to exfiltrate staged, password-protected archives of sensitive data. * **Encryption**: Executing the encryptor, which features a command-line interface for greater operator control. Techniques like multithreading and partial encryption are used to speed up the process. When executed with the `--esxi` argument, it attempts to shut down virtual machines. ### Continued Growth and Impact The findings underscore that ransomware groups can achieve significant scale by adhering to well-established techniques, often without relying on highly advanced tradecraft. Data from **ZeroFox** indicates that **INC** ransomware was the fourth most prominent ransomware group in Q1 2026, responsible for over 120 incidents, trailing only **Qilin**, **Akira**, and **The Gentlemen**. **Acronis** emphasizes that **INC**'s continuous enhancement of its toolkit and strategic targeting of critical sectors like healthcare, legal services, and manufacturing create substantial pressure for victims to pay ransoms. This threat is further amplified by these sectors' reliance on uninterrupted operations and complex supply chains, increasing the risk of collateral damage across vendor and partner networks.