Acronis Research Highlights Rapid Rise of INC Ransomware as One of the World's Most Active Cyber Threats
The latest Acronis Threat Research Unit (TRU) report reveals the rapid rise of INC ransomware into one of the world's most active cyber threats, with over 800 victims globally. The research highlights its evolving attack techniques, expanding affiliate network, and offers key recommendations to help organisations strengthen cyber resilience against increasingly sophisticated ransomware attacks.
The Acronis Threat Research Unit (TRU) has released new research detailing the rapid rise of INC ransomware from an emerging threat in 2023 to one of the world's most active ransomware groups in 2026. Since its emergence, INC ransomware has claimed more than 800 victims globally by leveraging advanced tooling, an expanding affiliate network, and increasingly sophisticated attack techniques targeting organisations across critical sectors.
The research provides an in-depth analysis of INC's evolution, attack chain, tooling, victim profile, and the latest tactics, techniques and procedures (TTPs) observed in recent campaigns.
According to the report, the disruption of major ransomware groups such as LockBit and the shutdown of BlackCat accelerated INC's growth, with affiliates shifting to alternative ransomware operations and strengthening its ecosystem. Researchers also found that both the Windows and Linux/ESXi variants of INC ransomware have been rewritten in Rust, enabling cross-platform development while making detection and analysis more challenging. The group's reach expanded further following the sale of its source code in 2024, contributing to the emergence of related ransomware families such as Lynx and Sinobi.
The report also highlights significant advancements in INC's attack toolkit. Recent incidents revealed the deployment of a modified credential-dumping tool capable of extracting credentials from newer Veeam backup environments by supporting Veeam's updated salted DPAPI encryption method. Attackers continue to rely on stolen credentials, phishing campaigns, exploitation of unpatched vulnerabilities, remote management tools, and living-off-the-land techniques to gain initial access, move laterally across networks, disable security controls, exfiltrate sensitive data, and ultimately deploy ransomware.
The United States accounts for more than 65% of all recorded victims, with legal services, manufacturing, technology, healthcare, and construction emerging as the most targeted sectors in 2026. By targeting industries where operational disruption carries severe financial and reputational consequences, INC ransomware maximises pressure on victims through double extortion tactics, combining data encryption with threats of public data exposure.
To mitigate the growing ransomware threat, Acronis recommends that organisations adopt a layered cybersecurity strategy, including secure and immutable backups, endpoint detection and response (EDR), multi-factor authentication (MFA), stronger identity and access controls, network segmentation, timely vulnerability management, and regular employee awareness training on phishing and social engineering. As ransomware operators continue to evolve their tactics, proactive cybersecurity measures remain essential to strengthening cyber resilience and minimising business disruption.