The INC ransomware group, operating in RaaS model since August 2023, has compromised over 830 organizations, becoming one of the most active cybercriminal groups in 2026. Rapid growth was partly enabled by shutdown of competing LockBit and BlackCat operations, whose affiliates migrated to INC with experience, tools, and target lists. For B2B companies, this means ransomware threat is not declining—it only changes operator labels.
INC Group Profile and RaaS Model
INC operates like typical ransomware-as-a-service: the core group develops malware, C2 infrastructure, and affiliate panel, while partners conduct attacks keeping a ransom percentage. The group uses double extortion—data encryption plus stolen file publication threat on leak site. Victims include manufacturing, professional services, healthcare, and MSP—B2B sectors with high data value and time pressure to restore operations.
LockBit and BlackCat affiliate migration to INC means experienced attack operators use proven TTPs: initial access via VPN, RDP, phishing, or edge device exploits, lateral movement through Active Directory, exfiltration before encryption, backup and shadow copy disablement.
Defensive Priorities for B2B Organizations
- 3-2-1 backup with immutability – offline/immutable copies inaccessible from AD domain.
- Network segmentation – limit lateral movement between VLANs and to file servers.
- ITDR and MFA – identity protection, especially admin and service accounts.
- Response plan – practiced procedures without paying ransom as default option.
INC Incident Response
After encryption detection: immediate affected segment isolation, entry vector identification, CSIRT and potential law enforcement notification, exfiltration scope assessment for GDPR. Organizations should have forensic firm and cyber insurer contacts prepared. Paying ransom does not guarantee data recovery and funds further group activity.
Partners offering IT infrastructure with backup and disaster recovery layers design ransomware-resilient architectures—air-gapped backup, quarterly restore tests, recovery runbooks without domain admin credentials on backup server.
Negotiation and Crisis Communication
INC applies time pressure and sample data publication before ransom deadline. Organizations should have prepared crisis comm plans: who communicates with customers, media, employees, through which channels, with what key messages. Legal assesses ransom payment compliance with sanctions and company policy.
Cyber insurance may cover part of IR and compensation costs—requiring documented baseline security before incident.
Regulatory Context and Reporting
Incidents discussed in this article may require assessment under GDPR, NIS2, and sector regulations. Organizations should maintain an up-to-date processing register, breach risk assessment procedure, and 24/7 IR team contacts. Incident timeline documentation—from detection to remediation—is critical for post-audit and cyber insurance discussions.
We recommend annual tabletop exercises with leadership, IT, legal, and PR participation covering data leaks, ransomware, and SaaS supply chain compromise.
Long-Term Cyber Resilience Strategy
Single post-incident remediation does not build organizational resilience. Investment in defense-in-depth, continuous user training, threat intelligence, and partnership with specialized IT services for businesses shortens mean time to detect and mean time to respond.
Practical Steps for the Next 30 Days
Within the first week: inventory affected systems, rotate credentials, and deploy available patches. Second week: detection tests, IR playbook updates, and key user training. Third and fourth weeks: compensating control audit, leadership report, and long-term architecture remediation plan. Each step should have an owner, deadline, and measurable outcome.
Teams without internal security resources can engage external partners to accelerate remediation—typical engagements last 2–6 weeks covering assessment, hardening, and runbook handoff to the client IT team. AbejaIT supports B2B organizations at every stage—from rapid exposure assessment to durable security control implementation.
Partnership With a Technology Provider
Many B2B organizations lack sufficient internal resources to independently maintain a full security program—from threat intelligence to 24/7 SOC. Cooperation with an experienced IT services provider shortens control deployment time, avoids common configuration mistakes, and maintains knowledge continuity even with internal staff rotation. The cooperation model should clearly define SLA, responsibility scope, and incident escalation procedures.
AbejaIT supports companies in security audits, infrastructure hardening, AI solution deployments with governance, and long-term production environment maintenance. Every engagement starts with maturity assessment and quick wins prioritization—actions delivering the greatest risk reduction in the shortest time.
Security Program Success Metrics
An effective cybersecurity program measures MTTD (mean time to detect), MTTR (mean time to respond), critical audit findings count, immutable backup coverage, and phishing simulation results. Quarterly leadership dashboards should show trends—not just absolute values. Goals should be realistic: e.g., 20% MTTR reduction year-over-year, 100% MFA coverage on admin accounts, zero critical CVEs on exposed services 72h after publication.
Conclusion
INC Ransomware reminds that the RaaS ecosystem quickly reorganizes after competitor disruption. B2B companies must treat backup, segmentation, and IR as mandatory investment, not optional. We invite ransomware resilience audits through our IT services for businesses.
Source: The Hacker News