The INC ransomware group (also referred to as INC Ransom) emerged in mid-2023 and has established itself as a financially motivated ransomware operation targeting mid- to large-sized organizations. The group has been observed attacking sectors such as healthcare, manufacturing, technology, and government-related entities, often focusing on victims with complex enterprise environments.

INC uses a double extortion strategy, exfiltrating sensitive data prior to encrypting systems and threatening to publish stolen information on its leak site if ransom demands are not met. Initial access is commonly achieved through phishing, compromised credentials, and exploitation of exposed or unpatched services, followed by lateral movement using legitimate administrative tools to evade detection.

Technically, INC ransomware employs strong encryption, actively attempts to disable backups and security solutions, and shows signs of hands-on-keyboard intrusions, indicating a targeted and deliberate attack style. The group’s rapid rise and consistent activity highlight the continued effectiveness of enterprise-focused ransomware campaigns against organizations with insufficient credential protection, monitoring, or network segmentation.