Photo by Darko Sokoleski on Unsplash
- As of June 2026, INC ransomware has claimed over 800 victims globally since July 2023, ranking fifth among active ransomware operations and holding 6.2% market share in January 2026 alone.
- Both Windows and Linux/ESXi encryptors have been fully rewritten in Rust — creating a 2+ week detection gap on major threat intelligence platforms where new samples evade signature-based antivirus.
- INC exploits four known, patchable vulnerabilities (CVE-2023-3519, CVE-2023-4966, CVE-2023-35082, CVE-2024-4885) for initial access — every one has a vendor-issued patch available.
- INC's May 2024 source code sale for $300,000 to three buyers spawned derivative families Lynx and Sinobi, expanding the threat surface well beyond the original group.
The Threat: A Rust-Powered Payload and a 22-Second Window
22 seconds. According to Mandiant's M-Trends 2026 report, that is the average elapsed time between an initial access broker's network entry and the moment a ransomware affiliate begins deploying encryption. For INC ransomware — a group that Google News and Cryptika Cybersecurity both reported on June 20, 2026 as having completely rebuilt its encryptors in the Rust programming language — that number frames exactly how little defender reaction time remains once a foothold is established.
INC emerged in July 2023 and has since claimed over 800 victims worldwide, making it one of the most active Ransomware-as-a-Service (RaaS — a criminal model where a core developer team leases attack tools to affiliates who execute attacks and split ransom payments) operations globally. As of January 2026, Breachsense's monthly ransomware reporting placed INC fifth among all active operations, with 42 claimed victims that month representing a 6.2% market share. The United States absorbs 65.3% of all INC victims, with targeting concentrated in legal services, manufacturing, technology, healthcare, and construction — sectors selected with deliberate precision, not opportunism.
The technical evolution documented by Acronis Threat Research Unit is substantial. The Windows encryptor now contains 4,248 distinct functions, and both Windows and Linux/ESXi variants use Curve25519 elliptic curve cryptography for key exchange — a modern standard that makes decryption without the threat actor's private key computationally infeasible. Enhanced credential-dumping modules now specifically target newer Veeam backup deployments, exploiting salted DPAPI (Windows Data Protection API — the mechanism Windows uses to encrypt stored passwords and service credentials) to extract backup credentials and neutralize recovery options before encryption begins.
For initial access, INC's operators exploit four documented, patchable vulnerabilities: CVE-2023-3519 and CVE-2023-4966 in Citrix NetScaler (known collectively as the Citrix Bleed flaw), CVE-2023-35082 in SimpleHelp RMM (remote monitoring software widely deployed by managed service providers), and CVE-2024-4885 in WhatsUp Gold network monitoring software. Every single one has a vendor-issued patch.
Blast Radius: The Sectors Carrying Real Exposure
INC does not spray and pray. Acronis Threat Research Unit's documentation of the group's targeting evolution shows a calculated pivot from education in early 2023 toward legal services and regulated industries — specifically because those organizations, as Acronis characterized it, operate in "regulated, privacy-sensitive industries that often carry insurance" and are statistically more willing to pay ransoms rather than absorb the reputational cost of disclosed encryption events. The numbers reflect the strategy: in one 48-hour window in early 2026, INC claimed 10 law firms simultaneously on their dark web leak site — coordinated staging, not coincidence.
Healthcare carries disproportionate systemic exposure. Health-ISAC reported a 55% surge in healthcare cyber incidents in 2025, with ransomware ranked as the top threat vector. As of June 2026, healthcare accounts for 17% of all ransomware attacks across industries. INC's cross-platform Rust encryptors — capable of hitting ESXi hypervisors that underpin hospital virtualization infrastructure alongside Windows endpoints — make simultaneous infrastructure shutdown feasible with a single coordinated deployment. The blast radius on an unpatched hospital environment running ESXi and Citrix is significant.
There is also a proliferation problem extending beyond INC itself. In May 2024, INC sold its source code for $300,000 to three separate buyers. Two derivative ransomware families — Lynx and Sinobi — subsequently emerged with substantial code overlap. Security teams tracking INC as a discrete threat actor are now effectively managing an ecosystem of operationally similar tools in different criminal hands. Mandiant's broader framing: ransomware-related intrusions accounted for 13% of all its investigations in 2025, a figure that reflects how thoroughly RaaS has industrialized the threat landscape following Operation Cronos's takedown of LockBit and BlackCat's shutdown — disruptions that INC actively capitalized on by absorbing migrating affiliates.
Chart: Key ransomware exposure metrics as of June 2026. Sources: Breachsense, Health-ISAC, Mandiant M-Trends 2026. Scale: 65.3% = 294px.
Why Rust Breaks Signature-Based Detection
Rust's rise across ransomware groups is not a coincidence — it is a coordinated evasion strategy. BlackCat adopted it in 2021. Hive transitioned from Golang. Agenda has now struck over 1,400 victims as of January 2026. A new family called 01flip surfaced in June 2025 using the same approach. INC's complete rewrite of both encryptors follows this trajectory, and the practical consequence for defenders is a structural detection gap: new Rust-compiled samples routinely evade detection on platforms like VirusTotal for two or more weeks, because antivirus vendors' signature databases have not accumulated sufficient Rust malware samples to build reliable pattern recognition at scale. As Cryptika's analysis stated, the language "complicates the reverse engineering processes implemented by cybersecurity companies, making malware analysis more time-consuming and complex."
There is an AI dimension that cuts both ways. CrowdStrike's 2026 Global Threat Report documented adversaries exploiting legitimate GenAI tools at over 90 organizations — injecting malicious prompts to automate the generation of credential-stealing commands and, in some cases, exploiting AI development platforms to establish persistence and deploy ransomware payloads. Defenders are using the same AI tooling that attackers are probing for weaponization. As AI Shield Daily's coverage of the $60M AI agent authorization gap laid out, the question of what AI systems are permitted to execute autonomously is no longer an abstract governance problem — it is an active attack vector feeding ransomware deployment chains.
The Defense Stack: Three Layers That Actually Close This
Layer 1 — Patch the Documented Entry Points Now. CVE-2023-3519 and CVE-2023-4966 in Citrix NetScaler, CVE-2023-35082 in SimpleHelp RMM, and CVE-2024-4885 in WhatsUp Gold are INC's four documented initial access vectors. All carry available vendor patches. If any of these products are present and unpatched in your environment, you have a known-exploited vulnerability open to a top-five ransomware operation. Run an authenticated vulnerability scan this week and treat any positive result as emergency change control — not a routine sprint addition. These are not theoretical: Breachsense data shows INC claimed 42 victims in a single month using exactly these entry points.
Layer 2 — Shift Detection to Behavior, Not File Signatures. Given the 2+ week VirusTotal detection lag for fresh Rust-compiled samples, signature-based antivirus will not catch a new INC encryptor on day one. Endpoint detection tools configured to flag bulk file encryption activity, LSASS (the Windows Local Security Authority Subsystem Service — the process that stores credential hashes) access attempts, and mass Volume Shadow Copy deletion are behavioral indicators independent of file hash or signature that will catch INC's activity regardless of how the payload is compiled. Verify these behavioral detection rules are actively enabled and tested, not merely licensed. This is the compensating control that closes the Rust detection window.
Layer 3 — Harden Backup Infrastructure Against Targeted Attacks. INC's updated credential-dumping tooling specifically targets Veeam backup deployments via salted DPAPI extraction. "We have backups" is only a genuine compensating control if backup credentials cannot be reached from a compromised endpoint. Immutable backup copies stored outside the production network perimeter — with separate credential management isolated from the Windows domain — are the actual control here. Review whether Veeam or equivalent backup service credentials are derivable from a compromised Windows endpoint in your environment, and remediate any such exposure before an incident reveals it.
Ship This Control Today
Run an authenticated vulnerability scan targeting Citrix NetScaler, SimpleHelp RMM, and WhatsUp Gold instances in your environment. Cross-reference the output against CVE-2023-3519, CVE-2023-4966, CVE-2023-35082, and CVE-2024-4885. Any positive result goes to emergency change control immediately — not this Friday, not the next patch window. These are the documented, in-use initial access vectors for a group that claimed 42 victims in January 2026 alone and hit 10 law firms in a 48-hour window.
In my analysis, INC's Rust rewrite is the clearest signal that this group is making a long-term infrastructure investment, not running a short operational scheme before exit. The cross-platform ESXi targeting, the Veeam-specific credential harvesting, and the ecosystem expansion through source code sales to three buyers all point to a threat actor planning for scale and durability. Security awareness training that helps employees recognize credential-phishing lures — INC's lateral movement relies heavily on harvested credentials after initial access — remains the human-layer control no patch cycle replaces, and it costs far less than any ransom negotiation.
Frequently Asked Questions
What is INC ransomware and how does it gain initial access to corporate networks?
INC is a Ransomware-as-a-Service (RaaS) operation that emerged in July 2023 and has claimed over 800 victims globally as of June 2026. The group's affiliates gain initial access primarily by exploiting known vulnerabilities: CVE-2023-3519 and CVE-2023-4966 in Citrix NetScaler (the Citrix Bleed family of flaws), CVE-2023-35082 in SimpleHelp RMM (remote monitoring software widely deployed by IT service providers), and CVE-2024-4885 in WhatsUp Gold network monitoring software. Initial access brokers — criminal intermediaries who sell pre-compromised network credentials — also supply the group with footholds. All four CVEs carry available vendor patches, making unpatched environments the primary exposure point.
Why are ransomware groups rewriting their tools in Rust and how long does it take for antivirus to catch new samples?
Rust offers ransomware developers three structural advantages: it compiles cross-platform from a single codebase (enabling simultaneous Windows and Linux/ESXi targeting), it produces memory-safe code that reduces self-inflicted bugs in attack tooling, and antivirus signature databases have limited coverage of Rust-compiled malware because the language is relatively new in malicious contexts. New Rust-compiled samples from groups like INC can remain undetected on platforms like VirusTotal for two or more weeks. The practical implication for defenders: signature-based antivirus is insufficient as a primary ransomware control against these tools. Behavioral detection rules that flag bulk encryption activity, mass shadow copy deletion, and LSASS access are the compensating controls that catch INC's activity regardless of compilation language.
Should a business pay the ransom if hit by INC ransomware or a derivative like Lynx or Sinobi?
Law enforcement agencies including the FBI and CISA consistently advise against ransom payment. Payment does not guarantee full data recovery, does not prevent re-entry through the same unpatched vulnerabilities, and may carry legal risk if the ransomware operator or affiliated entity is under government sanctions. In INC's specific case, the May 2024 sale of the group's source code to three separate buyers means derivative operations Lynx and Sinobi now operate similar tooling independently — paying INC does nothing to address those affiliated threat actors or remove their access if they are the ones who encrypted your environment. The more durable investment is pre-incident: tested backup recovery procedures, pre-negotiated incident response retainers, and cyber insurance coverage reviewed specifically for ransomware payment and business interruption terms before an attack occurs.
How can IT teams protect VMware ESXi hypervisor environments from Rust-based ransomware like INC?
ESXi environments face concentrated risk because INC's Linux/ESXi encryptor can simultaneously encrypt virtual machines across an entire hypervisor host, making a single compromised management interface a high-impact target. Key controls include: network segmentation that prevents direct ESXi management interface (typically TCP 443 and 902) access from general user networks; two-factor authentication on vCenter and ESXi management consoles; immutable or offline VM snapshot storage in a network segment isolated from the production vSphere environment; and monitoring of ESXi logs for unusual virtual machine power-off events followed by bulk datastore file modifications — a behavioral signature of hypervisor-targeted encryption. Ensure ESXi hosts are running current VMware security patches on their own patching cadence, independent of the Windows endpoint patch cycle.
Disclaimer: This article is editorial commentary based on publicly reported threat intelligence and is intended for informational purposes only. It does not constitute professional security consulting or legal advice. Specific remediation decisions should be made in consultation with qualified cybersecurity professionals familiar with your organization's environment. Research based on publicly available sources current as of June 20, 2026.