Executive Summary
Between July 2024 and December 2025, the INC Ransomware Group orchestrated a series of attacks targeting healthcare organizations across Australia, New Zealand, and Tonga. Utilizing tactics such as spear-phishing, exploitation of unpatched systems, and leveraging credentials from initial access brokers, the group infiltrated networks, exfiltrated sensitive data, and deployed ransomware to encrypt critical systems. Notably, in June 2025, INC disrupted Tonga's Ministry of Health, effectively shutting down core national services. (darkreading.com)
This incident underscores the escalating threat of ransomware attacks on the healthcare sector, emphasizing the need for robust cybersecurity measures, timely patch management, and comprehensive incident response strategies to safeguard patient data and ensure the continuity of essential health services.
Why This Matters Now
The INC Ransomware Group's targeted attacks on healthcare institutions in Oceania highlight the urgent need for enhanced cybersecurity defenses in the sector. As ransomware tactics evolve, healthcare organizations must prioritize proactive measures to protect sensitive patient data and maintain operational resilience.
Attack Path Analysis
The INC ransomware group initiated attacks by exploiting known vulnerabilities and using spear-phishing to gain initial access. They escalated privileges by extracting credentials and creating scheduled tasks for persistence. Utilizing tools like NETSCAN.EXE, they moved laterally across networks. For command and control, they employed legitimate remote access tools such as AnyDesk. Data was exfiltrated using compression tools before encryption. Finally, they encrypted data and deployed ransom notes, sometimes printing them via connected printers.
Kill Chain Progression
Initial Compromise
Description
The attackers exploited known vulnerabilities, such as CVE-2023-3519 in Citrix NetScaler, and conducted spear-phishing campaigns to gain initial access to target networks.
Related CVEs
CVE-2023-3519
CVSS 9.8A code injection vulnerability in Citrix NetScaler ADC and Gateway allows unauthenticated remote code execution.
Affected Products:
Citrix NetScaler ADC and Gateway – 13.1 before 13.1-48.47, 13.0 before 13.0-91.13, 12.1 before 12.1-65.35
Exploit Status:
exploited in the wildCVE-2023-48788
CVSS 9.8A SQL injection vulnerability in Fortinet Endpoint Management Server (EMS) allows remote code execution.
Affected Products:
Fortinet Endpoint Management Server – 7.0.1 and below
Exploit Status:
exploited in the wildCVE-2024-57727
CVSS 7.5A path traversal vulnerability in SimpleHelp Remote Access Tool allows privilege escalation and remote code execution.
Affected Products:
SimpleHelp Remote Access Tool – 5.2.0 and below
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing
Exploitation of Public-Facing Application
Command and Scripting Interpreter
Valid Accounts
Exploitation for Privilege Escalation
Obfuscated Files or Information
Credential Dumping
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
HIPAA – Risk Analysis
Control ID: 164.308(a)(1)(ii)(A)
HIPAA – Security Awareness and Training
Control ID: 164.308(a)(5)(ii)(D)
HIPAA – Access Control
Control ID: 164.312(a)(2)(i)
HIPAA – Audit Controls
Control ID: 164.312(b)
HIPAA – Response and Reporting
Control ID: 164.308(a)(6)(ii)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Primary target of INC ransomware across Oceania with attacks on emergency clinics, national health ministries, and 24/7 patient care facilities causing service disruptions.
Government Administration
Tonga's Ministry of Health suffered complete network disruption, demonstrating ransomware threat to centralized government healthcare infrastructure and national emergency response capabilities.
Professional Training
Australian professional services companies experienced significant INC ransomware attacks alongside healthcare targets, indicating vulnerability to credential compromise and lateral movement techniques.
Sources
- INC Ransomware Group Holds Healthcare Hostage in Oceaniahttps://www.darkreading.com/threat-intelligence/inc-ransomware-healthcare-oceaniaVerified
- INC Ransom and Affiliate Network operating in Australia, New Zealand and the Pacific island stateshttps://www.cyber.gov.au/about-us/view-all-content/news/inc-ransom-and-affiliate-network-operating-in-australia-new-zealand-and-the-pacific-island-statesVerified
- INC Ransom Affiliate Model Enabling Targeting of Critical Networkshttps://www.ncsc.govt.nz/assets/guidance/Documents/INC-Ransom-Affiliate-Model-Enabling-Targeting-of-Critical-Networks.pdfVerified
- Threat Actor Spotlight - INC Ransomhttps://www.moxfive.com/resources/moxfive-threat-actor-spotlight-inc-ransomVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent initial access via exploited vulnerabilities or phishing, it could limit the attacker's ability to leverage this access to further compromise the network.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls and minimizing the scope of accessible resources.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain lateral movement by monitoring and controlling internal traffic, thereby reducing the attacker's ability to traverse the network.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized command and control channels by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by monitoring and controlling outbound traffic, thereby reducing the attacker's ability to transfer data externally.
While Aviatrix CNSF may not prevent data encryption or ransom note deployment, it could likely limit the overall impact by restricting the attacker's ability to spread the ransomware across the network.
Impact at a Glance
Affected Business Functions
- Electronic Health Records (EHR)
- Patient Scheduling
- Billing Systems
- Diagnostic Services
Estimated downtime: 14 days
Estimated loss: $5,000,000
Personally identifiable information (PII) and protected health information (PHI) of patients, including medical records and billing information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and enforce least privilege access.
- • Deploy East-West Traffic Security controls to monitor and control internal network traffic, preventing unauthorized lateral movement.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Ensure comprehensive Multicloud Visibility & Control to detect and manage threats across all cloud environments.
