INC Ransom’s Affiliate Model Threatens Global Critical Infrastructure in 2025
Australia’s Cyber Security Centre (ACSC) has issued a new advisory regarding INC Ransom, a group that has emerged as a significant threat to critical infrastructure globally. The advisory highlights the group’s affiliate model, which allows a diverse range of threat actors to target essential systems, including healthcare and government networks, with minimal technical expertise.
Operating as a Ransomware-as-a-Service (RaaS) entity, INC Ransom employs a criminal franchise model. Core developers create and maintain the ransomware platform, leasing it to affiliates who execute attacks in exchange for a share of the ransom. This structure effectively turns cybercrime into a business model, where the brand, tools, and infrastructure are owned by INC, while the actual attacks are carried out by hired affiliates.
As of mid-2025, over 200 victims have been listed on INC’s data leak site. In July 2025, the group was identified as the most frequently deployed ransomware based on reported incidents. This rapid growth is attributed to a strategic expansion through affiliates who possess existing access and expertise from other cybercriminal organizations.
INC’s activities taking Healthcare Sector Under Siege
Between January and August 2025, healthcare organizations were particularly hard hit by INC’s activities, alongside educational, technological, and governmental sectors. The ACSC noted that INC Ransom affiliates have targeted Australian healthcare entities using compromised accounts. Following initial access, these affiliates escalated privileges by creating administrative accounts and moving laterally within victim networks.
In June, the Tongan Ministry of Health’s ICT environment was compromised, disrupting core services and impacting the national healthcare network. The ACSC confirmed that this incident was also linked to the INC Ransom group, which had previously attacked a healthcare entity in New Zealand.
During these attacks, numerous servers and endpoint devices were encrypted, and substantial amounts of data were stolen. INC Ransom claimed responsibility and subsequently published the stolen dataset on its data leak site.
Exploitation of Known Vulnerabilities
INC affiliates are not innovating; they exploit known, unpatched vulnerabilities in widely used enterprise software. Documented entry points include CVE-2023-3519 in Citrix NetScaler, a remote code execution flaw patched in July 2023, and CVE-2023-48788, a SQL injection vulnerability in Fortinet Endpoint Management Server. Another notable vulnerability is CVE-2024-57727, a path traversal flaw in SimpleHelp RMM, added to CISA’s Known Exploited Vulnerabilities catalog in February 2025.
Additionally, INC Ransom utilized CitrixBleed (CVE-2023-4966), which allows attackers to bypass multifactor authentication and hijack legitimate user sessions. This means that attackers can gain access without needing stolen credentials, effectively walking through the front door using an already authorized session.
Once inside, INC affiliates adhere to a structured methodology. They archive data using 7-Zip before exfiltration via MegaSync, employ AES encryption, and leave ransom notes printed directly to network printers. The group employs a double extortion tactic, encrypting systems while threatening to publicly release stolen data unless a ransom is paid.
In a notable incident, INC Ransom claimed to have breached the Pennsylvania Office of the Attorney General in August 2025, asserting that they removed over 5 terabytes of data and hinted at access to federal networks. The office declined to pay the ransom.
Global Reach and Regulatory Response
INC Ransom’s activities extend beyond U.S. borders. The group targeted Alder Hey Children’s NHS Foundation Trust in the U.K., claiming to have acquired extensive patient records, donor reports, and procurement data. This pattern of targeting public-sector healthcare institutions, which often operate with limited security budgets, reflects a calculated predatory strategy.
Microsoft Threat Intelligence has tracked significant activity from INC affiliates through a group known as Vanilla Tempest, which adopted INC Ransom as its primary payload in August 2024. This fluidity among groups illustrates a core feature of the RaaS model, where affiliates switch tools to evade law enforcement pressure.
In response to the growing threat, Australia has mandated that organizations with an annual turnover exceeding $3 million, as well as critical infrastructure operators, report ransomware or extortion payments within 72 hours. This regulatory shift aims to diminish the financial incentives that support groups like INC.
The ACSC advisory recommends that network defenders prioritize patching internet-facing systems, implement phishing-resistant multifactor authentication, segment networks to limit lateral movement, and monitor for unusual use of legitimate administrative tools such as PowerShell and Remote Desktop Protocol (RDP).
Furthermore, elements of INC ransomware have been linked to the development of Lynx ransomware, indicating that the threat landscape extends beyond INC’s branding. Defenders who neutralize INC today may encounter the same code under a different name tomorrow.
For further details, refer to the advisory published by the ACSC.
As reported by thecyberexpress.com.
