INC ransomware never used a zero-day. It used your patch backlog.

INC ransomware reached the top tier of the extortion business in 2026 without inventing anything. It ranked as the fourth most active operation in the first quarter of the year, behind Qilin, Akira, and The Gentlemen, and has now named more than 830 victims since August 2023. None of those break-ins needed a zero-day. Every initial-access flaw INC leans on was public and patched months, sometimes years, before the group walked through it. The lesson is uncomfortable: the most prolific crews no longer need original exploits, because patch latency on internet-facing appliances does the work for them.

New research from Acronis, with telemetry from ZeroFox, charts how INC went from a 2023 newcomer to a brand affiliates now build their careers on. The growth curve is not the interesting part. How ordinary the playbook is, is.

INC exploits old bugs, not new ones

Line up the edge-device flaws INC uses for initial access and a pattern falls out. The CVEs are not fresh:

• CVE-2023-3519, the Citrix NetScaler remote code execution bug, public since mid-2023.
• CVE-2025-5777, the flaw known as Citrix Bleed 2, patched in mid-2025.
• CVE-2023-48788, the Fortinet FortiClient EMS SQL injection bug, fixed in early 2024.
• CVE-2024-57727, a path traversal flaw in SimpleHelp remote support software, fixed in early 2025.

Each had a vendor fix available before INC's 2026 surge. The door was open because someone postponed a maintenance window on a NetScaler or a FortiClient EMS box, not because the attacker out-engineered the vendor. Where INC does not have a usable CVE, it buys the way in: stolen credentials from access brokers and targeted phishing fill the gap, then legitimate remote tools like AnyDesk, ScreenConnect, and TeamViewer keep the foothold quiet. This is the same dynamic we flagged when a patched Ivanti Sentry kept getting breached: the patch existing is not the same as the patch being applied.

The Veeam line nobody is reading closely

One detail in the research deserves more attention than the victim tally. INC's affiliates carry a credential dumper that was updated specifically to pull secrets from newer Veeam Backup and Replication servers, the ones using Veeam's salted DPAPI encryption scheme, complete with hardcoded SQL values and a fallback decryption routine.

Consider what that engineering effort tells you. The attacker spent development time keeping pace with a backup vendor's hardening, because the backup server is the prize, not a hurdle. Reaching it lets them disable recovery before they ever drop an encryptor, which is what turns an incident into a paid ransom. Defenders who treat the backup appliance as set-and-forget are neglecting the one box the adversary studies hardest. If your Veeam server is not a tier-zero asset with its own monitoring, INC has already done the homework you skipped.

Why detecting "INC" is a losing strategy

INC sold its Windows and Linux source code on underground forums, and two newer families, Lynx and Sinobi, now carry large amounts of that code. A detection keyed to the INC name, a specific ransom note, or a known sample hash misses the fork the moment an affiliate rebrands. You are not fighting one group; you are fighting a codebase that gets reskinned.

The Rust rewrite of both the Windows and the Linux and ESXi encryptors makes this worse for signature defenders. Rust binaries carry unfamiliar function symbols and runtime strings that slow reverse engineering, so it is a one-time investment by the author that taxes every analyst and antivirus vendor at once. Signature coverage will always trail it by weeks.

The durable detection surface is behavior, not identity. INC, Lynx, and Sinobi converge on the same chain: a vulnerable edge appliance, hands-on-keyboard tooling, defense evasion by loading a vulnerable signed driver, and bulk exfiltration with Rclone before any encryption fires. That sequence does not change when the logo does. It is the argument for detection built on behavior rather than brand, and the same blind spot we wrote about in the Velvet Ant authentication-stack case.

What to actually do this week

Treat this as a short, concrete list, not a reading assignment:

• Confirm patch status on every internet-facing Citrix NetScaler, FortiClient EMS, and SimpleHelp instance, and assume an unpatched one is already a foothold.
• Promote backup servers to tier-zero. Isolate them, restrict who can authenticate, and alert on credential-access tooling touching the Veeam database.
• Hunt for bring-your-own-vulnerable-driver activity. INC loads drivers such as filwfp.sys, filnk.sys, and fildds.sys to blind endpoint protection, so a signed driver loading from an unusual path is worth an alert.
• Watch for staging and exfiltration before encryption: rclone reaching external storage, large outbound transfers, and PsExec or RDP from hosts that have no operational reason to use them.

INC is not the threat to fixate on. The model is. The next brand to climb the rankings will look identical under the hood, because the formula works: rent the code, point it at the appliance nobody patched, kill the backups, and collect. The crews stopped innovating because they did not have to. The open question is whether defenders will stop treating last quarter's CVE as last quarter's problem.