INC Ransomware Rewrites Windows and Linux/ESXi Encryptors in Rust

INC ransomware has become one of the most active ransomware-as-a-service operations in 2026, with more than 800 claimed victims since it emerged in 2023. A new Acronis Threat Research Unit report says the group has rewritten both its Windows and Linux/ESXi encryptors in Rust, giving affiliates stronger cross-platform attack tools.

The rewrite matters because INC now has modern payloads for traditional Windows networks and VMware environments. That gives affiliates more options during intrusions, especially when they want to encrypt virtualized infrastructure and disrupt recovery operations.

INC uses a double extortion model. It encrypts systems and also threatens to leak stolen data, creating pressure from downtime, regulatory exposure, customer impact, and reputational damage.

INC has grown into a top ransomware threat

INC first appeared in mid-2023 and expanded quickly as other major ransomware brands faced disruptions. The Hacker News, citing Acronis research and ransomware.live data, reported that INC has claimed at least 830 victims since August 2023.

The group has targeted healthcare, education, legal services, manufacturing, construction, professional services, and technology. Acronis said U.S. organizations make up more than 65% of listed victims, with legal services, manufacturing, construction, technology, and healthcare among the most targeted sectors.

This targeting gives attackers leverage. Law firms, healthcare providers, manufacturers, and professional services companies often hold sensitive records and face immediate operational pressure when systems go offline.

Item	Details
Ransomware group	INC ransomware
Model	Ransomware-as-a-Service
First observed	Mid-2023
Claimed victims	More than 800 since 2023
New development	Windows and Linux/ESXi encryptors rewritten in Rust
Common sectors	Legal, manufacturing, construction, technology, healthcare, education, and professional services

Why the Rust rewrite matters

Rust gives ransomware developers a practical way to maintain cross-platform code while producing binaries that can be harder for analysts to review quickly. Acronis said both INC payloads have been rewritten in Rust, increasing analysis complexity and making cross-platform development easier.

The Windows encryptor includes operator-controlled options that let affiliates tune how encryption runs inside a victim environment. The Linux/ESXi version adds arguments for VMware environments, including an ESXi mode that attempts to shut down virtual machines before encryption.

For attackers, that means greater control. For defenders, it means INC activity can hit servers, endpoints, backups, and virtual infrastructure during the same intrusion.

INC affiliates target backups and credentials

Acronis said recent INC incidents include a modified credential dumper that targets Veeam backup deployments. The tool supports newer Veeam salted DPAPI credential encryption, which suggests the group has adapted its tooling for modern backup environments.

This is especially important because backup systems often hold high-value administrative credentials. If attackers compromise backup infrastructure, they can weaken recovery options before launching the encryptor.

The same report says INC affiliates also rely on common intrusion methods, including phishing, valid credentials bought from initial access brokers, and exploitation of public-facing systems.

• Affiliates use stolen or purchased credentials for initial access.
• They target unpatched edge devices and exposed remote services.
• They dump credentials from Veeam backup servers.
• They use legitimate remote access tools to blend into normal IT activity.
• They package stolen data before exfiltration, often using common utilities.

Initial access still relies on known vulnerabilities

INC affiliates do not need rare zero-days to succeed. Acronis said the group has used spear phishing, credentials from initial access brokers, and known vulnerabilities in public-facing applications.

Vulnerability	Product or platform	Role in attacks
CVE-2023-3519	Citrix NetScaler ADC and Gateway	Initial access against exposed infrastructure
CVE-2023-48788	Fortinet FortiClient EMS	Public-facing application exploitation
CVE-2024-57727	SimpleHelp RMM	Remote management system compromise
CVE-2025-5777	Citrix NetScaler ADC and Gateway	Credential theft and edge-device exposure

The focus on known flaws makes patching and exposure management critical. Security teams should check internet-facing systems for Citrix NetScaler CVE-2023-3519, Fortinet EMS CVE-2023-48788, SimpleHelp CVE-2024-57727, and Citrix Bleed 2 CVE-2025-5777 where those products are present.

Remote access tools help INC blend into networks

INC affiliates use legitimate tools after gaining access. Acronis observed Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer in recent incidents, along with living-off-the-land binaries such as RDP and PsExec.

These tools can make malicious activity look like normal administration if organizations do not monitor context. A remote access session outside business hours, launched from an unusual account, or tied to mass file staging should trigger investigation.

Attackers also use defense impairment tools. Acronis said INC actors have used PsKill and custom process terminators to stop endpoint protection processes before encryption.

Linux and ESXi attacks raise recovery pressure

The Linux/ESXi encryptor shows how ransomware groups continue to target virtual infrastructure. When ESXi hosts are encrypted, many virtual machines can go down at once, creating a larger operational outage than endpoint-only encryption.

Acronis said the Linux/ESXi payload can enumerate virtual machines, shut them down, and then encrypt files that would otherwise remain locked by running workloads. It also supports command-line options for encryption modes and target directories.

The group’s use of Rust-based payloads also reflects a broader ransomware trend. Operators want one development approach that can serve Windows, Linux, and hypervisor-focused campaigns without maintaining completely separate malware families.

INC code has influenced related ransomware families

Acronis said INC’s source code was offered for sale on underground forums in 2024. After that, related ransomware families such as Lynx and Sinobi appeared with significant code overlap.

This does not mean every related attack comes directly from INC. It means the original codebase appears to have spread into nearby criminal operations while the INC brand continued to develop its own campaigns.

The Hacker News report also noted that INC benefited from wider shifts in the ransomware ecosystem after the disruption of LockBit and the shutdown of BlackCat.

What organizations should do now

Organizations should treat INC as a mature ransomware operation, not a low-level copycat group. Its affiliates combine common access methods, credential theft, backup targeting, legitimate remote tools, and Rust-based encryptors to scale attacks.

The CISA StopRansomware Guide recommends offline encrypted backups, tested recovery procedures, strong access controls, patching, and incident response preparation. Those controls directly address several weaknesses INC affiliates continue to exploit.

Security teams should give backup systems the same level of protection as domain controllers. Backup consoles, service accounts, and stored credentials should use strong MFA, least privilege, monitoring, and separate administrative access.

1. Patch exposed edge devices and remote management platforms quickly.
2. Audit internet-facing Citrix, Fortinet, SimpleHelp, VPN, and RMM systems.
3. Require MFA for remote access, privileged accounts, and backup consoles.
4. Store backups offline or in immutable storage and test restoration regularly.
5. Monitor for unusual use of AnyDesk, ScreenConnect, TeamViewer, PsExec, and RDP.
6. Block or alert on unexpected rclone, 7-Zip staging, and mass archive creation.
7. Segment VMware, backup, and administrative networks from user endpoints.
8. Investigate attempts to stop EDR, antivirus, and logging processes.

Indicators defenders should prioritize

Acronis published hashes, network indicators, and YARA rules for INC Windows and Linux/ESXi samples. Security teams should import those indicators into detection tooling, but they should not rely on static indicators alone.

Type	Indicator or behavior	Why it matters
File behavior	.INC extension and INC file footer markers	Seen in encrypted files from analyzed samples
Ransom note	INC-README.txt and related INC ransom note names	Used after encryption to communicate demands
Tool	rclone.exe	Used by many ransomware actors for data exfiltration
Tool	7-Zip	Used to compress stolen files before upload
Tool	PsKill and custom process terminators	Used to stop security processes before encryption
Remote access	Cobalt Strike, AnyDesk, ScreenConnect, TeamViewer	Used for command-and-control and persistence in several incidents

Behavioral detections should focus on credential dumping from Veeam servers, suspicious remote access, mass file archiving, unusual outbound transfers, attempts to stop security tools, and ESXi commands that shut down virtual machines before encryption.

The Acronis analysis and the CISA ransomware guidance both point to the same defensive priority: reduce external exposure, protect identities, harden backups, and prepare recovery before affiliates reach the encryption stage.

FAQ