{
  "name": "From emerging threat to top-tier ransomware-as-a-service: The evolution of INC ransomware",
  "slug": "from-emerging-threat-to-top-tier-ransomware-as-a-service-the-evolution-of-inc-ransomware",
  "description": "INC has evolved from an emerging ransomware-as-a-service operation into one of the most active groups in 2026, claiming over 800 victims since 2023. The disruption of LockBit and BlackCat's shutdown created opportunities for INC to expand as affiliates migrated. Both Windows and Linux/ESXi encryptors have been rewritten in Rust, enabling cross-platform development and increasing analysis complexity. Recent incidents reveal updated tooling, including a modified credential dumper targeting newer Veeam backup deployments with support for salted DPAPI encryption. INC's influence extends beyond its operations; following the 2024 source code sale for $300,000, related families like Lynx and Sinobi emerged. United States organizations account for over 65% of victims, with legal services, manufacturing, construction, technology, and healthcare among the most targeted sectors.",
  "published": "2026-06-17T13:38:13.113000+00:00",
  "created_at": "2026-06-17T20:24:24.827000+00:00",
  "modified_at": "2026-06-17T18:24:24+00:00",
  "created_at_opencti": "2026-06-17T20:24:24.827000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "cobalt strike",
    "cve-2023-3519",
    "cve-2023-48788",
    "cve-2024-57727",
    "cve-2025-5777",
    "data-leak-site",
    "double-extortion",
    "encryption",
    "inc",
    "lynx",
    "raas",
    "ransomware-as-a-service",
    "rust-based",
    "sinobi",
    "veeam-credential-dumping",
    "vmware-esxi"
  ],
  "tags": [
    "2026-06-17",
    "CVE-2023-3519",
    "CVE-2023-48788",
    "CVE-2024-57727",
    "CVE-2025-5777",
    "cobalt strike",
    "data leak site",
    "double-extortion",
    "encryption",
    "inc",
    "lynx",
    "raas",
    "ransomware-as-a-service",
    "rust-based",
    "sinobi",
    "veeam-credential-dumping",
    "vmware esxi"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "1d10d8f5a420d0e4683b4cb40bcf0c984d1e7ea1f3b4442a00a525584632ac11"
      },
      {
        "id": "",
        "name": "dc9938f51150d13a69fc25f3f19052eacb1bf0a086fd5cf39762501fb3ddd7da"
      },
      {
        "id": "",
        "name": "1898d056463284d849801cbdea6a3dec6c9f568f01569912c3868a5eea9a5449"
      },
      {
        "id": "",
        "name": "bf8c45e5aa9551a17eefbd1d179422c32b4309c47ee9a3f315bb80ed6d4f7efc"
      },
      {
        "id": "",
        "name": "31800380c359143ae82c4f9011eee653dd22443d03d6a499148203bbfc275502"
      },
      {
        "id": "",
        "name": "765508aa2ec6a1b73a76a23f4fa559d32355622748c91a46ed7b315eae2ee60a"
      },
      {
        "id": "",
        "name": "d65120291dee76c694f8bea54841f7f68329b499b28f4aee5ea5c9369a7432cb"
      },
      {
        "id": "",
        "name": "24f6c0ca39b2a5593086ff56d818ddfbde121f8e44d54faa762e510397dc9db7"
      },
      {
        "id": "",
        "name": "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141"
      },
      {
        "id": "",
        "name": "60aeb9f7bccf377ff02ed64783e66a62c0f976878d9729b067bc7e5b0b9da9d6"
      },
      {
        "id": "",
        "name": "ff5da8f0330a4c581c37284c74aae2683c007dc6e406e1e2e6803e7bb398b77b"
      },
      {
        "id": "",
        "name": "5cc212f84d2bf3fbab165aaf09b16e00fcf2f1ccd880d24b14404c53dcdbf241"
      },
      {
        "id": "",
        "name": "8d1a22c430252f29611766b8e4a82af0fba60d609246463466b384d6d4793df4"
      },
      {
        "id": "",
        "name": "7f37351979c249417cb180b4ede0ed17e5fe2a1f08add4d72606b589f8fdb245"
      },
      {
        "id": "",
        "name": "97aebda5482899fef84a24e456bff055acaa47e5ab4029f768d9e0c62a660ce2"
      },
      {
        "id": "",
        "name": "90e46e89fec2108a1cb4850bb33e3563e92a14d04e1e613ac8c9311f152d294c"
      },
      {
        "id": "",
        "name": "ea721240c14e3d14f8d88e0020880448c6c602f1180a1e5dbe40871cfeedcc22"
      },
      {
        "id": "",
        "name": "d26bfb0147f60dc6500a9298d521ee67b49daaf4b8f8be54e7cc8fd86a597570"
      },
      {
        "id": "",
        "name": "6bf155b269d452f3c3b62832b27bbebe4da436e228dbf521155b1d5989e3743f"
      },
      {
        "id": "",
        "name": "589d9480fbfec2d8e61638eb0b537183d0f9977411fd1d2c0f8eb611feebe880"
      },
      {
        "id": "",
        "name": "acce811c4fc2a6e3fddd4231e386f1648ca44f039d2d275316bc0a0fc96e0af4"
      },
      {
        "id": "",
        "name": "f6a01d0246ce31faf6938ea488086d4358505405a4ef5c5faa482e79e92cb347"
      },
      {
        "id": "62e80ad0-72b1-4b73-8e6d-78b4eca35a91",
        "name": "incblog.su"
      },
      {
        "id": "6e6a837b-aa14-415b-aac2-bb106618ac83",
        "name": "incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion"
      },
      {
        "id": "a451405a-194b-4207-8ffc-2ab4341f0f2b",
        "name": "incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion"
      }
    ],
    "malware": [
      {
        "id": "e5f01230-4eca-4233-ad8d-8cb847db86ec",
        "name": "Brave Prince - S0252",
        "slug": "brave-prince-s0252"
      },
      {
        "id": "ab138766-9b64-4880-87fb-1942a709d778",
        "name": "Cobalt Strike - S0154",
        "slug": "cobalt-strike-s0154"
      },
      {
        "id": "c458b903-cef1-459f-928a-ac161da71f5a",
        "name": "Sinobi",
        "slug": "sinobi"
      },
      {
        "id": "9c0db20b-665e-4e91-a72f-b9a8d5343e58",
        "name": "Lynx",
        "slug": "lynx"
      }
    ],
    "intrusion_sets": [
      {
        "id": "7970cb90-ab3b-4a33-972a-2f886837ad6c",
        "name": "INC",
        "slug": "inc"
      }
    ],
    "attack_patterns": [
      {
        "id": "00430919-9257-403b-8a1b-958d4c3613aa",
        "name": "T1557"
      },
      {
        "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e",
        "name": "T1003"
      },
      {
        "id": "5d2af906-6187-4702-ab9f-590fbe5b1ca3",
        "name": "T1021.002"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "d9f271ed-7685-4362-b90d-f16a14102f39",
        "name": "T1489"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7",
        "name": "T1018"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "195d9773-4de3-4f61-b94d-a2b53cb65608",
        "name": "T1021.001"
      },
      {
        "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3",
        "name": "T1569.002"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2",
        "name": "T1567"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2023-48788"
      },
      {
        "id": "",
        "name": "CVE-2024-57727"
      },
      {
        "id": "",
        "name": "CVE-2023-3519"
      },
      {
        "id": "",
        "name": "CVE-2025-5777"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Legal"
      },
      {
        "id": "",
        "name": "Manufacturing"
      },
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Construction"
      },
      {
        "id": "",
        "name": "Healthcare"
      },
      {
        "id": "",
        "name": "incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion"
      },
      {
        "id": "",
        "name": "incblog.su"
      },
      {
        "id": "",
        "name": "incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion"
      }
    ],
    "indicators": [
      {
        "id": "df1fd33d-b4c2-4c63-8b17-478120b8b13a",
        "name": "1d10d8f5a420d0e4683b4cb40bcf0c984d1e7ea1f3b4442a00a525584632ac11"
      },
      {
        "id": "519d8f73-f782-4b15-8fd9-00faa252fd22",
        "name": "dc9938f51150d13a69fc25f3f19052eacb1bf0a086fd5cf39762501fb3ddd7da"
      },
      {
        "id": "d722bb08-02f8-47b3-af6d-876c0acf2a37",
        "name": "1898d056463284d849801cbdea6a3dec6c9f568f01569912c3868a5eea9a5449"
      },
      {
        "id": "1d4ec368-da56-4adf-b781-66aa9722daac",
        "name": "bf8c45e5aa9551a17eefbd1d179422c32b4309c47ee9a3f315bb80ed6d4f7efc"
      },
      {
        "id": "07cac099-cfae-44dd-a47f-62d195bd80b5",
        "name": "31800380c359143ae82c4f9011eee653dd22443d03d6a499148203bbfc275502"
      },
      {
        "id": "0407cf24-b10f-4ab9-bd4c-b23e3510f20b",
        "name": "765508aa2ec6a1b73a76a23f4fa559d32355622748c91a46ed7b315eae2ee60a"
      },
      {
        "id": "ab255ea9-e4f2-4037-9f93-b829a6cd2c46",
        "name": "d65120291dee76c694f8bea54841f7f68329b499b28f4aee5ea5c9369a7432cb"
      },
      {
        "id": "c24c5616-2a12-48e8-aa0a-02788573ccbc",
        "name": "24f6c0ca39b2a5593086ff56d818ddfbde121f8e44d54faa762e510397dc9db7"
      },
      {
        "id": "6278c1ea-ef01-4594-887f-c1dbc975074e",
        "name": "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141"
      },
      {
        "id": "31822190-c464-4c97-aeca-86e7956d8032",
        "name": "incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion"
      },
      {
        "id": "2f80b5d2-7992-4c5e-a3f9-440be7f08561",
        "name": "60aeb9f7bccf377ff02ed64783e66a62c0f976878d9729b067bc7e5b0b9da9d6"
      },
      {
        "id": "dbdd925a-0865-4934-a39a-a5dc88819d24",
        "name": "ff5da8f0330a4c581c37284c74aae2683c007dc6e406e1e2e6803e7bb398b77b"
      },
      {
        "id": "c6a55cda-c600-4cc2-a847-6c56c348041f",
        "name": "5cc212f84d2bf3fbab165aaf09b16e00fcf2f1ccd880d24b14404c53dcdbf241"
      },
      {
        "id": "a5148caa-c118-42f7-9ee8-ea0515cb526f",
        "name": "incblog.su"
      },
      {
        "id": "5681de87-da94-4fe6-8e96-c24a64ce8cbd",
        "name": "8d1a22c430252f29611766b8e4a82af0fba60d609246463466b384d6d4793df4"
      },
      {
        "id": "f6b4d27f-2c62-4491-b25e-38259088d414",
        "name": "7f37351979c249417cb180b4ede0ed17e5fe2a1f08add4d72606b589f8fdb245"
      },
      {
        "id": "c902471e-d1c9-468c-932a-29d7962d9f4b",
        "name": "incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion"
      },
      {
        "id": "c4eaa399-d5ff-42da-9799-69ebcee96a4e",
        "name": "97aebda5482899fef84a24e456bff055acaa47e5ab4029f768d9e0c62a660ce2"
      },
      {
        "id": "0268f936-712c-483d-b929-4aa371efba06",
        "name": "90e46e89fec2108a1cb4850bb33e3563e92a14d04e1e613ac8c9311f152d294c"
      },
      {
        "id": "44c52054-dfb2-4ff7-a72c-7f009feaff83",
        "name": "ea721240c14e3d14f8d88e0020880448c6c602f1180a1e5dbe40871cfeedcc22"
      },
      {
        "id": "5f9e2595-2bd9-48de-ab49-986488a659fa",
        "name": "d26bfb0147f60dc6500a9298d521ee67b49daaf4b8f8be54e7cc8fd86a597570"
      },
      {
        "id": "437e0eec-ed2d-4aaa-8c86-824ae27c7093",
        "name": "6bf155b269d452f3c3b62832b27bbebe4da436e228dbf521155b1d5989e3743f"
      },
      {
        "id": "623f5aca-2192-4f2e-bb64-38def44c49cf",
        "name": "589d9480fbfec2d8e61638eb0b537183d0f9977411fd1d2c0f8eb611feebe880"
      },
      {
        "id": "87881c31-8248-4ca6-ad12-5566ce3ab7b5",
        "name": "acce811c4fc2a6e3fddd4231e386f1648ca44f039d2d275316bc0a0fc96e0af4"
      },
      {
        "id": "5a50a4fc-c058-4423-aa1c-b3dc788078f3",
        "name": "f6a01d0246ce31faf6938ea488086d4358505405a4ef5c5faa482e79e92cb347"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6a32a34570e116fb4e3621e7",
    "https://www.acronis.com/en/tru/posts/from-emerging-threat-to-top-tier-ransomware-as-a-service-the-evolution-of-inc-ransomware/"
  ]
}