INC ransomware group’s RaaS expansion and victim growth in 2026
Threat Actor Meta
Summary
Hide ▲
Show ▼
INC has grown from a RaaS startup into one of 2026’s most prolific ransomware groups, with 830+ victims since August 2023. The expansion followed affiliate migration after disruption to LockBit and the shutdown of BlackCat, strengthening INC’s market position. Its rise increases extortion pressure across U.S. organizations and targeted sectors including health care, legal services, manufacturing, technology, and construction.
Related Happenings
INC ransomware encryptors rewritten in Rust
Malware Activity
H score38
First: 18.06.2026 17:12
Last: 18.06.2026 17:12
Sources 1
How related:
INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts.
About this happening:
INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
INC ransomware encryptors rewritten in Rust
Malware ActivityHow related: INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts.
About this happening: INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor Meta
H score26
First: 10.06.2026 17:03
Last: 10.06.2026 17:03
Sources 1
About this happening:
**The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
H score25
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Trend
H score32
First: 17.03.2026 23:41
Last: 17.03.2026 23:41
Sources 1
About this happening:
**Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
TrendAbout this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor Meta
H score38
First: 05.02.2026 00:14
Last: 05.02.2026 00:14
Sources 1
About this happening:
**DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
DragonForce shifts ransomware-as-a-service into a cartel-style affiliate umbrella
Threat Actor MetaAbout this happening: **DragonForce** has shifted into a **cartel-style ransomware-as-a-service model**, letting affiliates launch their own brands while sharing a common umbrella. That change expands...
Timeline
-
18.06.2026 17:12 2 articles · 2h ago
INC grows into a prolific ransomware group with 830 victims since August 2023
Campaign Scope UpdateResearchers said INC evolved from an early ransomware-as-a-service operation into one of 2026’s most prolific cybercrime groups, with 830 victims since August 2023 and more than 120 incidents in Q1 2026. United States organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology, and health care among the most targeted sectors. The group’s expansion followed LockBit disruption and the BlackCat shutdown, and its campaigns now include Rust-based Windows and Linux/ESXi encryptors, Veeam backup server credential dumping, unpatched edge-device access, LOLBins, commercial RMM tools, and Rclone-based exfiltration.
Show sources
- INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023 — thehackernews.com — 18.06.2026 17:12
- INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023 — thehackernews.com — 18.06.2026 17:12