INC Ransomware Hits 830 Victims via Rust Rewrites and Veeam Credential Theft

The group deploys Rust-based Windows and Linux encryptors, an updated Veeam credential dumper bypassing salted DPAPI, and BYOVD drivers including filwfp.sys. Initial access chains exploit Citrix Netscaler CVE-2023-3519 and CVE-2025-5777, Fortinet EMS CVE-2023-48788, and SimpleHelp CVE-2024-57727, followed by Cobalt Strike, Rclone exfiltration, and partial encryption with multithreading. ZeroFox data places INC fourth in Q1 2026 incidents after Qilin, Akira, and The Gentlemen.

Acronis reporting and underground sales records show INC variants sold in May 2024 directly seeded Lynx and Sinobi, which retain identical encryption routines and command-line flags such as --esxi for virtual machine shutdown. This pattern indicates low-barrier replication rather than novel tradecraft, allowing rapid scaling across legal, manufacturing, construction, and healthcare sectors where downtime pressure drives payments.

Mainstream coverage understates how standard living-off-the-land binaries combined with targeted backup server attacks produce sustained output without state-level tooling. Procurement and victim lists reveal consistent focus on supply-chain-adjacent firms, amplifying downstream exposure beyond single-organization breaches.

Continued Rust refactoring and RMM tool mixing point to incremental hardening against analysis, with affiliate migration likely to accelerate if additional RaaS platforms face law-enforcement takedowns.