And one of those basics is focusing on sectors where a ransomware disruption creates immediate pressure to pay up, like with healthcare.
June 17, 2026
INC is a ransomware group that has excelled in the ransomware-as-a-service (RaaS) space through doing the basics effectively — alongside a bit of good timing.
Researchers with security vendor Acronis today published a blog post covering RaaS gang INC, a group that emerged in 2023 and has claimed more than 800 victims to date. INC is a ransomware actor that greatly benefited from the shutdown of ALPHV/BlackCat and the disruption of LockBit; this is an attribute shared with other ascendant gangs like The Gentlemen.
And according to the Acronis Threat Research Unit (TRU), the group is one of the most active of its kind right now. On the surface, INC doesn't stand out so much. It's a double extortion ransomware actor (meaning it uses encryption and data leaking to get victims to pay up), drawing victims from manufacturing, legal services, healthcare, technology, construction, and educational sectors, among others. The group appears to have a certain preference for organizations with especially sensitive data to add extra extortion pressure.
