An investigation published Tuesday revealed the INC ransomware group’s operational patterns, showing a ransomware group that has achieved sustained success by perfecting established tactics with operational discipline rather than relying on novel techniques. The group specifically targets sectors where ransomware deployment creates maximum payment pressure: healthcare, education, and local government.
INC’s playbook follows a well-documented but effectively executed pattern: initial access via RDP brute-force or credential stuffing against publicly exposed services, lateral movement using harvested credentials and native Windows administration tools, and rapid comprehensive encryption combined with concurrent data exfiltration to enable the third-extortion model.
INC Targets Sectors Where Operational Disruption Creates Urgent Payment Pressure
INC’s operational model is built on sector selection precision. The group targets healthcare organizations, educational institutions, and local government agencies — sectors where operational disruption creates acute payment pressure.
Healthcare providers cannot delay patient care indefinitely. Schools face political pressure to restore operations for student access. Local government departments must maintain public services. These constraints give INC a significant advantage in payment negotiations that pure criminal capability alone does not provide.
The group has been observed releasing non-paying victims’ data more quickly than competing ransomware groups, creating a rapid-revenue model that pressures other organizations to pay rather than negotiate.
Predictable Tactics Executed With Operational Discipline
INC’s approach to ransomware delivery is largely predictable. Initial access comes through RDP brute-force or credential stuffing against publicly exposed services. Lateral movement uses harvested credentials and native Windows administration tools rather than novel exploit chains.
Target selection prioritizes victims whose urgency to restore operations is highest. Encryption is rapid and comprehensive, and data exfiltration runs concurrently, enabling the third-extortion model of threatening to publish stolen data on top of the encryption threat.
What distinguishes INC from the broader ransomware ecosystem is not technical sophistication but operational discipline: consistent targeting, effective sector selection, and a willingness to negotiate and release data from victims unable to pay.
