INC is a new but fast-growing ransomware group, known for its aggressive tactics and speed of execution.

Despite lacking the long history of more established groups, INC has quickly proven itself by targeting organisations across multiple sectors and publishing victim data on a dedicated leak site soon after initial compromise.

At STORM Guidance, we assist organisations in understanding, preparing for, and responding to emerging ransomware threats like INC—offering the clarity and control needed to minimise disruption and long-term damage.

How INC Ransomware Attacks Work

INC follows a familiar double extortion model but focuses on speed and pressure to force fast decision-making from victims. Key characteristics include:

• Initial access through phishing emails, credential stuffing, or vulnerable RDP and VPN services

• Rapid lateral movement using standard tools and legitimate credentials

• Encryption of critical systems, often appending a custom extension

• Data exfiltration followed by public listing on the INC leak site

• A short payment deadline and threats of immediate public exposure

Unlike slower, staged ransomware campaigns, INC attacks are fast-moving and designed to outpace internal response.

Who INC Is Targeting

Current evidence suggests INC is focusing on:

• Mid-sized enterprises with limited cybersecurity teams

• Professional services, retail, healthcare, and education sectors

• Organisations with outdated security protocols or under-monitored remote access tools

Its strategy is opportunistic but effective—hitting companies with weak visibility and high data sensitivity.

How to Defend Against INC Ransomware

To reduce your exposure to a group like INC:

✅ Conduct regular patching of exposed infrastructure and third-party tools

✅ Require MFA for all external access points and administrator accounts

✅ Monitor user behaviour for lateral movement and privilege escalation

✅ Use endpoint detection solutions that look for behavioural anomalies

✅ Secure, offline backups and clear data recovery procedures

✅ Prepare and test your data breach communications strategy

What to Do If Your Organisation Is Attacked by INC

If you discover signs of INC ransomware in your environment:

• Isolate affected systems immediately and disable remote access

• Collect and preserve ransom notes, log files, and evidence of exfiltration

• Avoid engaging directly with attackers

• Alert legal, communications, and leadership teams for coordinated response

STORM Guidance supports clients with:

✔ Full technical containment and root cause analysis

✔ Data breach exposure evaluation

✔ Legal and regulatory support

✔ Strategic guidance on ransom decisions and communications

INC: Speed Over Sophistication

What INC lacks in brand history, it makes up for in urgency, volume, and aggression.

Its rapid deployment and short negotiation windows reflect a ransomware trend focused less on long campaigns and more on maximum short-term pressure.

For organisations without a tested playbook, this can be overwhelming. STORM Guidance helps ensure that your response is not only fast—but strategic, compliant, and effective.

Immediate Response Available

If you’re under attack, contact STORM Guidance now.