INC Ransomware Reaches 830 Victims, Rewrites Encryptors in Rust

When LockBit was disrupted and BlackCat shut down, the ransomware ecosystem didn't shrink; it shuffled. The Hacker News reports that INC ransomware-as-a-service has claimed at least 830 victims since August 2023, and according to Acronis researcher Darrel Virtusio, affiliate migration from those collapsed operations drove much of INC's expansion. Data compiled by ZeroFox places INC as the fourth most prolific ransomware group in Q1 2026 with over 120 incidents in a single quarter, behind Qilin, Akira, and a group called The Gentlemen.

The technical evolution is the more worrying thread. INC's Windows and Linux/ESXi encryptors have been rewritten in Rust, which facilitates cross-platform targeting and makes reverse engineering harder, a deliberate move to stay ahead of detection tooling. Alongside that, the group deploys an updated credential dumper specifically engineered to target newer Veeam backup deployments that use salted DPAPI credential encryption. Veeam is a common enterprise backup platform; targeting its credentials before encryption runs is a way of foreclosing the most obvious recovery path before victims even know they are under attack.

U.S. organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology, and healthcare bearing the heaviest load. Those sectors share a common pressure point INC explicitly exploits: operational downtime creates strong financial incentive to pay. Initial access arrives through spear-phishing, credentials purchased from initial access brokers, and exploitation of known vulnerabilities in Citrix Netscaler, Fortinet EMS, and SimpleHelp.

The honest caveat is that the 830-victim figure comes from INC's own data leak site, not an independent census, and the reporting provides no ransom demand figures or revenue estimates to gauge the financial scale of the operation. There is also no mention of law enforcement action targeting INC operators, so whether any disruption effort is underway remains unknown.

For defenders, the Veeam angle deserves immediate attention: backup access controls warrant the same scrutiny as domain administrator accounts. The specific CVEs named in the reporting, covering Citrix Netscaler, Fortinet EMS, and SimpleHelp, form a concrete patch priority checklist that costs nothing to act on today. Security vendors offering backup-specific monitoring or privileged access controls for Veeam have a clear product story to tell right now.