When Australia’s cyber watchdog issued a fresh advisory on INC Ransom, security teams worldwide are bound to take note — not because INC is new, but because the group’s business model has quietly made it one of 2025’s most relentless forces targeting the very networks societies depend on to survive.
Australia’s Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), published the advisory warning that INC Ransom’s affiliate model now enables a broad range of threat actors to target critical infrastructure — from healthcare systems to government networks — with minimal technical skill of their own.
INC Ransom operates as a Ransomware-as-a-Service (RaaS) group. It is a criminal franchise model where core developers build and maintain the ransomware platform, then lease it to “affiliates” who carry out the actual attacks in exchange for a cut of the ransom. Think of it as a dark-web franchise. The brand, tools, and infrastructure belong to INC; the break-ins happen through hired hands.
As of mid-2025, more than 200 victims appeared on INC’s data leak site, and in July 2025, INC ranked as the most deployed ransomware based on victim postings. That scale does not happen by accident. It reflects a deliberate expansion through affiliates who carry existing access and expertise from other groups.
Also read: Cyberattack on ControlNET: INC Ransom Group Claims Breach of Building Technology Provider
Prime Focus on Healthcare
Healthcare organizations bore the brunt of INC’s activity between January and August 2025, with education, technology, and government entities also ranking among the top victim sectors.
“Since January 2025, the ACSC has observed INC Ransom affiliates target Australian Health Care sector entities using compromised accounts. Upon initial access, affiliates have conducted privilege escalation by creating admin level accounts and moving laterally within victim networks,” the advisory said.
In June, the Tongan Ministry of Health (MoH) ICT environment was attacked by a ransomware that impacted core services and disrupted the national health care network. ACSC said, this was also the work of INC ransomware group as was an attack on a healthcare sector entity further down south in New Zealand.
“Many of the organisation’s servers and endpoint devices had been encrypted, and a large amount of data was stolen. INC Ransom claimed responsibility for this incident, and published the dataset on its DLS (data leak site),” ACSC confirmed.
Exploits Known Vulnerabilities
INC affiliates do not reinvent the wheel. They exploit known, unpatched vulnerabilities in widely deployed enterprise software. Documented entry points include CVE-2023-3519 in Citrix NetScaler — a remote code execution flaw patched in July 2023 — CVE-2023-48788, a SQL injection vulnerability in Fortinet Endpoint Management Server, and CVE-2024-57727, a SimpleHelp RMM path traversal flaw added to CISA’s Known Exploited Vulnerabilities catalog in February 2025.
INC Ransom also used CitrixBleed (CVE-2023-4966), a vulnerability in Citrix NetScaler ADC and Gateway appliances that lets threat actors bypass multifactor authentication and hijack legitimate user sessions. In practical terms, an attacker does not need stolen credentials. They can walk through the front door using a session that already has authorization.
Once inside, INC affiliates follow a disciplined playbook. They archive data with 7-Zip before exfiltrating it via MegaSync, use AES encryption, and drop ransom notes printed directly to network printers. The group then applies double extortion — encrypting systems while threatening to publish stolen data publicly unless the victim pays.
In one high-profile case, INC Ransom claimed a breach of the Pennsylvania Office of the Attorney General in August 2025, stating it removed more than 5 terabytes of data and hinted at access to federal networks. The office refused to pay.
Also read: Ahold Delhaize USA Confirms Data Stolen in 2024 Cyberattack
The group’s reach does not stop at U.S. borders. INC Ransom targeted Alder Hey Children’s NHS Foundation Trust in the U.K., claiming to have obtained large-scale patient records, donor reports, and procurement data. This pattern of targeting public-sector healthcare — institutions with constrained security budgets and life-critical dependencies — reflects a calculated predatory strategy.
Microsoft Threat Intelligence tracks significant INC affiliate activity through a group it calls Vanilla Tempest, which adopted INC Ransom as its primary payload in August 2024 after previously using BlackCat, Quantum Locker, Zeppelin, and Rhysida. The fluidity between groups showcases a core feature of the RaaS model where affiliates shop for the most effective tools and swap them out when law enforcement pressure mounts.
Australia now mandates that organizations with annual turnover above $3 million, as well as critical infrastructure operators, report ransomware or extortion payments within 72 hours — a regulatory shift designed to erode the financial incentives that sustain groups like INC.
The ACSC advisory recommends network defenders prioritize patching of internet-facing systems, implement phishing-resistant multifactor authentication, segment networks to limit lateral movement, and monitor for unusual use of legitimate administrative tools such as PowerShell and Remote Desktop Protocol (RDP).
Given that INC ransomware elements have also been linked to the development of Lynx ransomware — a derivative group — the threat footprint extends well beyond INC’s own branding. Defenders who neutralize INC today may face the same code under a different name tomorrow.
