Executive Summary
In early 2026, the INC ransomware group, a ransomware-as-a-service (RaaS) operation active since mid-2023, intensified its attacks across various sectors, notably healthcare, education, and government entities. Utilizing double extortion tactics, INC affiliates gained initial access through spear-phishing campaigns and exploitation of vulnerabilities in external services. Once inside, they conducted internal reconnaissance using tools like NETSCAN.EXE and AnyDesk.exe, exfiltrated sensitive data, and deployed ransomware to encrypt systems, pressuring victims into paying ransoms to prevent data leaks. (explore.ontolocy.com)
This surge in INC's activities underscores the evolving ransomware landscape, where groups leverage RaaS models to scale operations rapidly. The focus on sectors with sensitive data highlights the critical need for organizations to bolster defenses against such multifaceted threats.
Why This Matters Now
The recent escalation in INC ransomware attacks, particularly targeting sectors with sensitive data, emphasizes the urgent need for organizations to enhance cybersecurity measures. The group's effective use of double extortion tactics and rapid operational scaling through the RaaS model present a significant and immediate threat to data security and operational continuity.
Attack Path Analysis
The INC Ransom group initiated the attack by exploiting known vulnerabilities in Citrix NetScaler and Fortinet FortiClientEMS to gain unauthorized access. Upon entry, they escalated privileges by obtaining domain administrator credentials through credential dumping techniques. They then moved laterally across the network using remote desktop protocol (RDP) sessions with the stolen credentials. For command and control, they established persistent access via RDP and utilized remote access tools. Data exfiltration was conducted by archiving sensitive data using utilities like 7-Zip and transferring it to attacker-controlled servers. Finally, they deployed ransomware to encrypt critical systems, demanding a ransom for decryption keys.
Kill Chain Progression
Initial Compromise
Description
Exploited vulnerabilities in Citrix NetScaler (CVE-2023-3519) and Fortinet FortiClientEMS (CVE-2023-48788) to gain unauthorized access.
Related CVEs
CVE-2023-3519
CVSS 9.8Unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and NetScaler Gateway.
Affected Products:
Citrix NetScaler ADC – 13.1 before 13.1-49.13, 13.0 before 13.0-91.13, 13.1-FIPS before 13.1-37.159, 12.1-FIPS before 12.1-55.297, 12.1-NDcPP before 12.1-55.297
Citrix NetScaler Gateway – 13.1 before 13.1-49.13, 13.0 before 13.0-91.13
Exploit Status:
exploited in the wildCVE-2023-48788
CVSS 9.8SQL injection vulnerability in Fortinet FortiClientEMS allows unauthorized code execution.
Affected Products:
Fortinet FortiClientEMS – 7.2.0 through 7.2.2, 7.0.1 through 7.0.10
Exploit Status:
exploited in the wildReferences:
CVE-2024-57727
CVSS 7.5Path traversal vulnerabilities in SimpleHelp remote support software allow unauthenticated remote attackers to download arbitrary files.
Affected Products:
SimpleHelp SimpleHelp – 5.5.7 and earlier
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Spearphishing Attachment
Valid Accounts
Exploit Public-Facing Application
Account Discovery
Credentials from Password Stores
Lateral Tool Transfer
Disable or Modify Tools
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Penetration Testing and Vulnerability Assessments
Control ID: 500.05
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
INC ransomware specifically targets healthcare organizations like NHS Dumfries & Galloway, exploiting sensitive patient data for maximum extortion pressure and operational disruption.
Legal Services
Legal firms face double extortion risks from INC's data theft capabilities, threatening client confidentiality and regulatory compliance through lateral movement and exfiltration attacks.
Higher Education/Acadamia
Educational institutions are prime INC targets due to sensitive student data, limited security budgets, and critical operational dependencies on networked systems.
Manufacturing
Manufacturing sector vulnerability stems from INC's exploitation of industrial systems, remote access tools, and operational technology requiring immediate restoration to prevent production losses.
Sources
- INC Ransomware Thrives by Mastering the Basicshttps://www.darkreading.com/cyberattacks-data-breaches/inc-ransomware-thrives-by-mastering-the-basicsVerified
- Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467Verified
- Fortinet FortiClientEMS Vulnerability Advisory FG-IR-24-007https://fortiguard.com/psirt/FG-IR-24-007Verified
- SimpleHelp Security Vulnerabilities in Versions 5.5.7 and Earlierhttps://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlierVerified
- INC Ransomware: Tactics, Evolution, and Incident Response Guidehttps://www.provendata.com/blog/inc-ransomware/Verified
- INC Ransomware Grouphttps://explore.ontolocy.com/intel/intrusion-sets/inc-ransomware-group/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it could have significantly constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial access may still occur, CNSF would likely limit the attacker's ability to exploit these vulnerabilities to move further within the network.
Control: Zero Trust Segmentation
Mitigation: Even with stolen credentials, CNSF would likely restrict the attacker's ability to escalate privileges across segmented network zones.
Control: East-West Traffic Security
Mitigation: CNSF would likely impede lateral movement by enforcing east-west traffic controls, reducing the attacker's ability to traverse the network.
Control: Multicloud Visibility & Control
Mitigation: CNSF would likely detect and constrain unauthorized command and control channels, reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: CNSF would likely restrict unauthorized data exfiltration by enforcing strict egress policies, reducing the attacker's ability to transfer data externally.
While CNSF may not prevent the initial deployment of ransomware, it would likely limit the spread and impact by containing the attack within segmented network zones.
Impact at a Glance
Affected Business Functions
- Electronic Health Records (EHR)
- Billing Systems
- Patient Scheduling
- Diagnostic Equipment
Estimated downtime: 14 days
Estimated loss: $5,000,000
Patient medical records, billing information, and personal identification data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block exploitation attempts of known vulnerabilities.
- • Enforce zero trust segmentation to limit lateral movement by restricting access between systems based on identity and policy.
- • Deploy egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize threat detection and anomaly response tools to identify and respond to unusual activities indicative of command and control communications.
- • Ensure all systems are regularly updated and patched to mitigate the risk of exploitation through known vulnerabilities.
