New Delhi, Acronis Threat Research Unit (TRU) has released new research examining the evolution of INC ransomware globally, highlighting its rapid evolution from an emerging threat in 2023 to one of the most active ransomware groups in 2026. The latest research reveals that INC ransomware has claimed more than 800 victims worldwide since its emergence, leveraging advanced tooling, affiliate expansion and increasingly sophisticated attack techniques to target organisations across critical sectors. This further examines INC’s evolution, attack chain, tooling, victimology and the latest tactics, techniques and procedures (TTPs) observed in recent intrusions.
Based on the report, the disruption of major ransomware groups such as LockBit and the shutdown of BlackCat have accelerated INC’s growth, with affiliates migrating to alternative ransomware operations and strengthening its ecosystem. Researchers observed that both the Windows and Linux/ESXi variants of INC ransomware have been rewritten in Rust, enabling cross platform development while increasing the complexity of detection and analysis. The group’s influence has further expanded following the sale of its source code in 2024, which contributed to the emergence of related ransomware families including Lynx and Sinobi.
TRU researchers also uncovered significant advancements in INC’s attack toolkit. New incidents revealed the deployment of a modified credential dumping tool capable of extracting credentials from newer Veeam backup environments through support for Veeam’s updated salted DPAPI encryption method. The ransomware operators continue to rely on a combination of stolen credentials, phishing campaigns, exploitation of unpatched vulnerabilities, remote management tools and living-off-the-land techniques to gain access, move laterally across networks, disable security controls, and exfiltrate sensitive data before encryption.
It moreover highlights that the United States accounts for more than 65% of all recorded victims, with legal services, manufacturing, technology, healthcare and construction emerging as the most targeted sectors in 2026. By focusing on industries where operational disruption can have severe financial and reputational consequences, INC ransomware maximises pressure on victims through double extortion tactics, combining data encryption with threats of public data exposure.
To reduce the risk posed by evolving ransomware operations such as INC, Acronis recommends that organisations adopt a layered cybersecurity strategy that includes maintaining secure and immutable backups, implementing endpoint detection and response solutions, enforcing multi-factor authentication, strengthening identity and access controls, segmenting networks, promptly addressing vulnerabilities, and regularly educating employees about phishing and social engineering threats. As ransomware operators continue to refine their tools and tactics, proactive security measures remain critical to improving cyber resilience and minimising business disruption.
For more information and additional insights, visit:
Disclaimer: The above press release has been provided by Consocia Advisory. CXO Digital Pulse holds no responsibility for its content in any manner. Reproduction or Copying in part or whole is not permitted unless approved by author.
 has released new research examining the evolution of INC ransomware globally, highlighting its rapid evolution from an emerging threat in 2023 to one of the most active ransomware groups in 2026){kind=link}