INC Ransomware: Tactics, Evolution, and Incident Response Guide

INC ransomware is a ransomware-as-a-service (RaaS) operation that emerged in mid-2023 and rapidly established itself as a significant threat to organizations worldwide. The group employs double extortion tactics (stealing sensitive data before encrypting systems) to maximize pressure on victims. This article provides an overview of INC ransomware’s operational characteristics, attack lifecycle, and practical guidance for response, recovery, and prevention.

INC ransomware operates as a RaaS platform, meaning the core developers provide the malware and infrastructure while different actors conduct intrusions in exchange for a share of ransom proceeds. The operation involves multiple actors rather than a small fixed team, with revenue shared between operators and other participants.

The group is financially motivated with no confirmed ties to state sponsorship. Communications and tactics are consistent with Eastern European ransomware operations, though definitive attribution remains uncertain. INC maintains leak sites on the Tor network where victim data is published if ransom payments are not made.

A distinguishing characteristic is INC’s cross-platform capability. The ransomware targets Windows systems, Linux servers, and VMware ESXi virtualization environments, enabling broad impact across enterprise infrastructure. The Linux variant, first observed in December 2023, includes ESXi-specific functionality.

In mid-2024, a ransomware variant called Lynx emerged with significant code overlap – approximately 48% overall similarity and up to 70% similarity in shared functions. Lynx appears to be a successor to INC, with strong code and behavioral overlap. This transition coincided with the sale of INC’s source code on underground forums between March and May 2024.

Organizations should treat INC and Lynx as part of the same threat lineage. Detection rules and indicators developed for INC remain relevant to Lynx activity.

INC ransomware incidents follow a structured, multi-stage pattern consistent with human-operated ransomware campaigns. Understanding this lifecycle helps organizations identify intrusions before encryption occurs.

Threat actors gain entry through several vectors. Phishing attacks targeting employees remain a common method, often delivering malicious attachments or credential-harvesting links. Stolen credentials purchased from underground markets or harvested by information-stealing malware provide another entry point.

Exploitation of vulnerabilities in internet-facing systems represents a significant access method. INC-related intrusions have leveraged CVE-2023-3519, a critical remote code execution vulnerability in Citrix NetScaler gateways. Some intrusions attributed to INC have involved exploitation of CVE-2023-48788, a SQL injection vulnerability in Fortinet FortiClient EMS.

Initial access brokers also play a role, selling pre-existing network access to ransomware operators. This allows attackers to bypass the intrusion phase entirely and proceed directly to internal operations.

After gaining access, attackers establish persistence and map the target environment. They employ living-off-the-land techniques, using built-in administrative tools to avoid detection. Commands such as net user /domain and net group /domain enumerate Active Directory accounts and groups.

Network scanning tools like Advanced IP Scanner identify additional systems. Attackers also query LDAP to inventory domain computers and locate critical assets, including domain controllers, file servers, and backup infrastructure.

Credential harvesting is central to this phase. Tools like Mimikatz extract credentials from memory, while custom scripts such as  VeeamCreds.ps1 target credentials used by backup software. Obtaining backup system access serves dual purposes: enabling privilege escalation and preparing to neutralize recovery options.

Armed with harvested credentials, attackers propagate across the network. PsExec and Windows Management Instrumentation (WMI) enable remote command execution on additional systems. Remote desktop tools, including AnyDesk and TightVNC, provide persistent access to compromised hosts.

The objective is domain administrator access, which provides full control over the environment. Attackers may create new administrative accounts or add compromised accounts to privileged groups. Security tools are disabled where possible – Process Hacker and a custom tool called ProcTerminator have been observed terminating security processes.

Before encryption, attackers exfiltrate sensitive data to use as leverage. Target data includes customer records, financial information, intellectual property, and executive communications. Files are typically compressed using 7-Zip before transfer.

Exfiltration often occurs via cloud storage services. MegaSync, which uploads data to Mega.nz, is used for data exfiltration in multiple incidents. Large transfers may occur overnight to complete before encryption is triggered.

With data stolen and access secured, attackers deploy the ransomware payload across the environment. The malware encrypts files on local drives, network shares, and virtual machine storage. To maximize speed, INC employs partial encryption – encrypting only portions of each file sufficient to render it unusable.

The ransomware uses AES-128 in CTR mode for file contents and Curve25519 elliptic-curve cryptography for key protection. Multi-threading accelerates the process, with the malware spawning threads proportional to the number of available CPU cores.

Ransom notes are delivered aggressively. Text and HTML files named “INC-README” appear in affected directories. The malware also attempts to print ransom messages to network printers and change desktop wallpapers. Encrypted files receive the .inc extension (or .LYNX in successor variants).

Victims are directed to Tor-based negotiation portals. The group maintains both a private communication site and a public leak blog where data is published if payment is not received.

INC ransomware has affected organizations across multiple sectors and geographies. Manufacturing and industrial companies are frequently targeted, likely due to their low tolerance for operational downtime. Professional services, technology firms, and healthcare organizations have also been affected.

Geographically, the United States accounts for a large share of disclosed victims, followed by the United Kingdom, Canada, Australia, and Germany. Incidents have been documented across Europe, Asia-Pacific, Latin America, and the Middle East. Notably, no publicly reported incidents have affected organizations in Russia or Commonwealth of Independent States countries, a pattern consistent with many Russian-speaking ransomware operations.

Target selection suggests deliberate reconnaissance. Victims tend to be medium to large enterprises with significant data assets, and the involvement of initial access brokers points to pre-selected, high-value targets.

The following indicators are associated with INC ransomware activity:

• File Extensions: .inc, .INC, .LYNX
  
• Ransom Note Filenames: INC-README.txt, INC-README.html
  
• Exploited Vulnerabilities: CVE-2023-3519, CVE-2023-48788
  
• Associated Tools: Mimikatz, Process Hacker, PsExec, AnyDesk, 7-Zip, MegaSync, Advanced IP Scanner
  
• Behavioral Indicators: Volume Shadow Copy deletion, Safe mode boot manipulation, Mass termination of SQL, backup, and security processes, Unusual administrative account creation or group membership changes, Large outbound data transfers to cloud storage services.

Organizations experiencing an INC ransomware incident should engage incident response resources immediately. The following framework provides guidance for containment through recovery.

Isolate affected systems from the network by disconnecting cables or disabling switch ports. If encryption is actively spreading, network isolation may limit the scope of damage. Avoid powering off systems immediately if forensic evidence collection is possible; memory contains data critical to the investigation.

Disable or reset any accounts suspected of compromise, particularly those with administrative privileges. If domain administrator credentials were obtained, assume broad compromise and plan for a comprehensive credential reset.

Determine which systems were accessed and what data may have been stolen. Digital forensics analysis of compromised systems helps reconstruct the attack timeline and identify all affected assets. Review authentication logs, EDR telemetry, and network traffic records.

Assess data exposure by identifying which file shares and databases were accessible to compromised accounts. Network logs showing large outbound transfers indicate likely exfiltration.

Rebuilding compromised systems from clean images is safer than attempting to clean infected machines, particularly for domain controllers and critical servers. All domain credentials should be reset, including the KRBTGT account (twice, per standard Active Directory breach procedures).

Remove any persistence mechanisms installed by the attackers, including unauthorized user accounts, scheduled tasks, services, and remote access tools.

Restore data from backups after validating backup integrity. Test restorations in an isolated environment before reconnecting to production networks. Return systems to production in stages, monitoring closely for signs of re-compromise.

Ransomware payment does not guarantee data safety. Attackers may retain copies of stolen data despite promises of deletion. The provided decryption tools may be incomplete or unreliable. Some jurisdictions restrict payments to sanctioned entities.

Organizations should evaluate payment decisions based on backup availability, operational impact, legal counsel, and law enforcement guidance. Engaging cyber insurance carriers early in the process is a critical part of how a company should handle a ransomware attack.

Defensive measures should address the specific techniques observed in INC ransomware operations.

Enforce multi-factor authentication on all remote access points, including VPNs, RDP gateways, and cloud services. Review privileged accounts regularly and remove unnecessary access. Service accounts should use strong, unique passwords and operate with the minimum necessary privileges.

Monitor for unusual authentication patterns: logins from unexpected locations, off-hours access, or a single account authenticating across many systems in a short period.

Prioritize patching for internet-facing systems. CVE-2023-3519 and CVE-2023-48788 should be addressed immediately where applicable. Reduce external attack surface by disabling unnecessary services and restricting RDP/SSH access from the internet.

Deploy web application firewalls and intrusion prevention systems to detect exploitation attempts against perimeter infrastructure.

Segment networks to contain lateral movement. Domain controllers, backup servers, and sensitive file shares should reside on isolated VLANs with restricted access. Workstations should not have direct access to server subnets unless explicitly required.

Maintain offline or immutable backups that ransomware cannot reach during an attack. Backup systems should use credentials separate from the primary domain. Test restoration procedures regularly to verify data integrity and measure recovery time.

The following actions address the INC ransomware attack patterns directly:

• Enforce MFA on all remote access (VPN, RDP, Citrix, cloud portals)
• Patch CVE-2023-3519 (Citrix NetScaler) and CVE-2023-48788 (Fortinet FortiClient EMS) if these products are deployed
• Restrict RDP and SSH exposure from the internet
• Segment domain controllers and backup servers on isolated VLANs
• Maintain offline or immutable backups with separate credentials
• Deploy EDR with detection for Mimikatz, PsExec, and VSS deletion
• Monitor for unusual admin account activity and off-hours authentication
• Block or monitor access to file-sharing services (Mega.nz) at the network perimeter
• Test backup restoration procedures quarterly
• Develop and rehearse a ransomware-specific incident response plan
• Have a reputable company on an incident response retainer

INC ransomware represents a capable and active threat that continues to evolve through its successor operation, Lynx. Organizations should monitor for tactical changes while maintaining defenses against the established attack patterns described above. Early detection during the reconnaissance and lateral movement phases offers the best opportunity to contain incidents before encryption occurs.

If you suspect data loss or network breach, or are looking for ways to compile digital evidence through forensics and eDiscovery services – our team can help.

Our expert advisor will contact you to schedule your free consultation.

You’ll receive a customized proposal or quote for approval.

Our specialized team immediately jumps into action, as time is critical.