INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023

The INC ransomware-as-a-service (RaaS) operation has emerged as a significant cybercrime threat in 2026, impacting over 830 victims since August 2023. Cybersecurity researchers at Acronis observed that the disruption of prominent RaaS groups like LockBit and BlackCat created an opening for INC to grow its operations, attracting affiliates seeking new platforms. INC's activity surged in late 2023 and continued through 2024 and 2025, with a notable increase in victim count during the first quarter of 2026. The group primarily targets organizations in the United States, with manufacturing, technology, and healthcare sectors being the most affected. INC employs a double-extortion tactic, exfiltrating sensitive data before encrypting it and demanding ransom for both decryption and the non-release of stolen information. Analysis of INC's tactics, techniques, and procedures (TTPs) reveals a sophisticated approach, including the use of custom-built encryptors and evasion techniques to bypass security defenses. The group's affiliate program appears to be well-structured, facilitating rapid deployment and expansion of its reach.