Ransomware Landscape Shifts: INC RaaS Surges to 830 Victims, Law Enforcement Strikes SocGholish

INC ransomware has become the fourth most active ransomware-as-a-service operation in Q1 2026, with more than 120 incidents in that quarter alone, according to a joint analysis by Acronis and ZeroFox. The group, which first appeared in August 2023, now counts over 830 victims worldwide.

United States organizations make up more than 65 percent of INC's listed victims, with legal services, manufacturing, construction, technology and health care the sectors most frequently targeted, Acronis researcher Darrel Virtusio said in the report released June 18.

Rust Rewrite and RaaS Expansion Fuel Growth

INC has rewritten its Windows and Linux encryptors in the Rust programming language, making cross-platform development easier and hardening the code against reverse engineering. The malware now includes an updated credential dumper that can target newer Veeam backup deployments using salted DPAPI credential encryption. In May 2024, the group began selling its Windows and Linux variants on the cybercrime underground, which led to the emergence of related families Lynx and Sinobi that share significant code overlap with INC.

• Initial access methods include spear-phishing, purchased IAB credentials, and exploitation of vulnerabilities in Citrix Netscaler (CVE-2023-3519, CVE-2025-5777), Fortinet EMS (CVE-2023-48788), and SimpleHelp (CVE-2024-57727).
• Attackers use living-off-the-land binaries such as RDP and PsExec for lateral movement, and deploy the bring-your-own-vulnerable-driver technique with filwfp.sys, filnk.sys, and fildds.sys to impair defenses.
• Data exfiltration relies on Rclone after staging archives with password protection.
• Cobalt Strike, AnyDesk, ScreenConnect, and TeamViewer are used for command-and-control.

Law Enforcement Strikes SocGholish Delivery Network

In a separate development, the international law enforcement coalition behind Operation Endgame took down 106 servers and domains linked to SocGholish, a malware delivery operation that has infected victims through fake software updates since at least 2020. The action, announced June 18 by the Dutch National Police, also cleaned nearly 15,000 compromised websites that were serving SocGholish's malicious payloads to unsuspecting visitors.

Collateral Risk in Targeted Sectors

The emergence of INC as a top-tier threat underscores how ransomware groups can achieve scale without advanced tradecraft. Acronis noted that INC's preferred sectors health care, legal services and manufacturing create strong financial pressure to pay because operational downtime disrupts supply chains and vendor networks. The attack on Australian sugar producer Mackay Sugar, which shut down harvesting and milling operations, illustrates the real-world impact. Mackay Sugar said it was working urgently to verify the ransomware group's claims.

Separately, the Klue OAuth breach linked to the Icarus threat group has enabled the theft of Salesforce CRM data from multiple organizations in an ongoing extortion campaign, further highlighting the widening attack surface in enterprise environments. The simultaneous law enforcement victory against SocGholish removes one of the largest initial access vectors for ransomware campaigns, potentially slowing the infection pipeline for groups like INC.