TL;DR: INC ransomware has now claimed at least 830 victims since August 2023, with US organizations making up more than 65% of the leak-site listings and legal services, manufacturing, construction, technology, and healthcare as the most-targeted sectors. Per ZeroFox's Q1 2026 ransomware tracking, INC is now the fourth most prominent ransomware group with 120+ incidents in Q1 2026, behind only Qilin (338), Akira (197), and The Gentlemen (192). Three of INC's top five sectors are exactly the NC SMB segments PDC serves out of High Point - manufacturers, law firms, and healthcare practices - and the group's Rust-rewritten encryptors plus a fresh Veeam-credential dumper mean "we have backups" is no longer a defense by itself.
Key takeaway: INC is not the loudest ransomware brand in 2026, but its target list reads like a directory of NC mid-market businesses. With 830 confirmed victims, a Linux/ESXi-capable Rust encryptor, and a credential dumper purpose-built to gut Veeam deployments, an NC SMB without immutable backups, segmented networks, and EDR/MDR is operating on borrowed time.
Need a Veeam + ESXi + endpoint hardening pass against INC and the broader RaaS market? Preferred Data Corporation has run managed IT and cybersecurity for NC small businesses since 1987. Call (336) 886-3282 or book a ransomware readiness review.
Who is INC ransomware and why does June 2026 matter?
INC is a ransomware-as-a-service (RaaS) operation that has been active since August 2023 and, per The Hacker News, has now claimed at least 830 victims on its data-leak site, with more than 65% of those listings tied to US organizations. The group runs the standard double-extortion playbook: encrypt the environment, exfiltrate sensitive data, and post the victim to a leak site if payment is not made.
What separates INC from the noise in mid-2026 is the engineering investment. Per SecNews and The Hacker News, INC has rewritten both its Windows and its Linux/ESXi encryptors in Rust. The reason is operational, not aesthetic: Rust gives the operators a single codebase that compiles cleanly across Windows, Linux, and ESXi targets, and it materially raises the cost of reverse engineering for defenders and antivirus vendors. INC has also shipped an updated credential-dumping module that targets newer Veeam backup deployments, including the salted DPAPI credential encryption introduced in recent Veeam releases - per SecNews, this is a deliberate move to neutralize the one defensive layer most SMBs assume will save them.
The Q1 2026 numbers tell the same story from a different angle. Per Storyboard18's coverage of ZeroFox tracking, INC is now the fourth most prominent ransomware group with 120+ incidents in a single quarter, sitting behind Qilin (338), Akira (197), and The Gentlemen (192). Per Halcyon, INC has also been in the middle of a rapid campaign against law firms - the sector tracking aligns with what's on the ransomware.live INC group page, which keeps a running tally of public victim postings.
Why are NC manufacturers, law firms, and healthcare practices in INC's crosshairs?
Because they pay, they have regulated data, and most of them cannot tolerate a week of downtime. Per The Hacker News, INC's top five sectors are legal services, manufacturing, construction, technology, and healthcare. Three of those (manufacturing, legal services, healthcare) are PDC's core NC SMB customer profile, and construction is a fourth. The targeting is not random - it follows ransom-payment economics.
| Sector | Why INC targets it | NC examples | What gets stolen and leaked |
|---|---|---|---|
| Legal services | Privileged client data, time-sensitive matters, professional liability exposure, high willingness to pay | Greensboro, Winston-Salem, Charlotte, and Raleigh law firms; Triad estate planning and litigation practices | Privileged client files, M&A deal documents, case strategy, conflicts data |
| Manufacturing | Production downtime is measured in lost shipments per hour; flat OT/IT networks; weak backup posture; Veeam-heavy | High Point furniture and component manufacturers, Piedmont Triad industrial firms, Hickory and Statesville plants | CAD/CAM files, customer purchase orders, ERP exports, supplier contracts |
| Healthcare | HIPAA exposure plus patient-safety pressure forces fast payment decisions | Charlotte, Raleigh, and Greensboro specialty practices, Triad ambulatory surgery centers, regional dental groups | PHI, EHR exports, billing data, insurance and provider credentials |
| Construction | Project-deadline pressure, distributed jobsites, weak central IT, frequent third-party data sharing | Triangle and Triad commercial GCs, NC mechanical and electrical contractors, infrastructure subs | Bid documents, project schedules, change orders, payroll, subcontractor data |
| Technology | MSP and SaaS access multipliers, intellectual property, customer credentials | NC SaaS startups, regional MSPs, IT consultancies serving NC SMBs | Source code, customer access tokens, downstream client credentials |
Per Halcyon's recent alert, the law firm campaign has been especially aggressive. An NC law firm with 25 attorneys, a single on-prem file server, a Veeam appliance, and one Microsoft 365 tenant is a textbook INC target - high data sensitivity, high payment willingness, and a Veeam install that the new INC dumper is built to harvest.
What does the INC ransomware kill chain look like?
The kill chain runs in five stages, and the defenses live at each one. Skipping a layer assumes the previous layer holds - and INC's engineering investment is specifically designed to break that assumption.
| Step | Attacker Action | NC SMB Failure Mode | Defense Layer |
|---|---|---|---|
| 1 | Initial access: exposed RDP, weak VPN, phishing, exploit of edge appliance (firewall, VPN gateway) | RDP open to the internet, VPN without MFA, unpatched firewall, no email security | Phishing-resistant MFA, RDP off-internet, patched edge devices |
| 2 | Credential theft: Rust dumper targets domain admin, service accounts, and Veeam DPAPI-protected credentials | Veeam credentials reused across domain admin, no separate backup AD, no LAPS | Tiered admin, separate Veeam credentials, LAPS, vault rotation |
| 3 | Lateral movement: SMB, WMI, RDP, PsExec across a flat network | Flat /24, no segmentation, file shares wide open, no east-west visibility | VLAN segmentation, microsegmentation, EDR east-west detections |
| 4 | Backup destruction: delete Veeam jobs, wipe repositories, encrypt or detach backup storage | Backups on the same domain, no immutability, no offsite copy, no restore tests | Immutable repositories, offline/offsite copies, 3-2-1 verified |
| 5 | Encryption and leak-site extortion: Rust encryptor across Windows + ESXi, leak posting on INC site | No EDR/MDR, no out-of-band IR plan, no legal/PR/insurance contacts in advance | EDR/MDR, IR retainer, tabletop exercise, ransom policy preset |
Per SecNews, the step 4 backup-destruction phase is where INC has spent the most engineering effort in 2026. The Rust credential dumper specifically targets Veeam, including newer salted DPAPI credential protection. The assumption that "Veeam will save us" is exactly the assumption INC is monetizing.
What should NC SMBs do this week to harden against INC ransomware?
Six steps inside seven days. None of them are capital projects; all of them are operationally executable by an NC SMB with managed IT support.
- Audit and remove unused or exposed RDP/VPN endpoints; enforce phishing-resistant MFA on what remains. Run an external attack-surface scan. Any RDP listening on the public internet gets shut down today. Any VPN gateway without MFA gets MFA enforced this week. Phishing-resistant MFA (FIDO2 / WebAuthn / passkeys / hardware keys) is the target; TOTP is the acceptable interim. SMS-only MFA is not sufficient for VPN or admin access in 2026.
- Verify Veeam backup hardening. Patch to the current Veeam release. Move Veeam off the production Active Directory domain or use a separate management AD. Vault the Veeam service account credentials in a separate password manager, rotate them, and ensure they are not reused as a domain admin. Enable immutable repositories - hardened Linux repos with immutability flags, or object-lock-enabled S3-compatible storage. Per SecNews, the INC dumper is built to harvest Veeam DPAPI credentials; separating Veeam from production AD is the control that contains the blast radius.
- Test backup restoration end-to-end. An untested backup is not a backup. Pick a representative server, restore it to an isolated network, boot it, validate the application stack. If the restore fails, you have found the problem in advance instead of during an INC incident. NC SMBs should be running a documented restore test at least quarterly.
- Deploy EDR/MDR across servers and endpoints. Microsoft Defender for Business, CrowdStrike Falcon Go, SentinelOne Singularity, or an equivalent. EDR alone is not enough - it needs a 24/7 MDR layer with humans triaging alerts, because INC encryption can finish before a Tuesday-morning ticket queue is reviewed. NC SMBs without 24/7 monitoring should treat MDR as a non-negotiable line item.
- Segment the network. Flat networks are why INC can encrypt an entire NC manufacturer's estate in minutes. At minimum, separate VLANs for: production servers, user endpoints, OT/plant floor, Veeam/backup infrastructure, management/admin. Block east-west SMB and RDP except where business-justified. NC manufacturers with ERP, MES, and PLCs on the same /24 as office laptops are operating one credential away from total encryption.
- Write and exercise an incident response plan that explicitly covers law-firm-style client-data notification and HIPAA obligations. The plan needs: an incident commander, a comms lead, the cyber-insurance carrier contact, outside counsel, the IR retainer phone number, regulatory notification timelines (HIPAA 60-day breach rule, NC Identity Theft Protection Act notifications, state bar reporting where applicable), and a preset ransom-payment policy approved by the board. Tabletop the plan annually with the full team, not just IT.
Key takeaway: INC's engineering effort in 2026 - Rust cross-platform encryptors, ESXi targeting, Veeam DPAPI credential dumping - is built specifically to defeat the defenses NC SMBs assume they have. Immutable backups, segmented networks, EDR/MDR with human eyes, and a tested IR plan are no longer optional for legal, manufacturing, healthcare, and construction firms operating in North Carolina.
Want an INC-specific Veeam + ESXi + IR review for your NC SMB before quarter end? Call (336) 886-3282 or book a ransomware readiness review.
How is INC's Rust + ESXi + Veeam pivot reshaping SMB risk in NC?
It collapses three independent assumptions NC SMBs have leaned on for years.
- "They will only encrypt Windows." Per The Hacker News and SecNews, INC's Linux/ESXi Rust encryptor targets the hypervisor itself. An NC manufacturer with 30 Windows VMs running on three ESXi hosts loses all 30 VMs at once when the hypervisor is encrypted - the per-VM Windows defenses never get a chance to fire. ESXi hosts need hardened lockdown mode, no SSH on the internet, MFA on vCenter, separated management VLANs, and current patches.
- "Rust is just a language choice." Operationally, Rust gives INC one codebase that compiles for Windows, Linux, and ESXi, and a binary that is materially harder for antivirus and reverse-engineering teams to dissect. The practical effect for NC SMB defenders is that signature-based AV is a weaker layer in 2026 than it was in 2023. Behavioral EDR with MDR triage is the layer that catches Rust-rewritten payloads in action.
- "Veeam will save us." Per SecNews, the updated INC credential dumper is purpose-built against newer Veeam deployments, including salted DPAPI credential encryption. If Veeam is joined to the production domain, if the Veeam service account is also a domain admin, if the backup repository is reachable over SMB from the Veeam server using those same credentials - INC takes the backups before encryption begins. Separating Veeam credentials, separating the backup domain, and using immutable repositories is the control that survives this pivot.
For PDC's NC manufacturer client base in High Point and across the Piedmont Triad, the practical implication is that an ESXi-based virtualization estate with a Veeam-only backup posture is now a top-risk profile. The same logic applies to NC law firms in Greensboro and Winston-Salem running a single ESXi host with a Veeam appliance, and to NC healthcare practices in Charlotte and Raleigh with EHR servers virtualized on a small VMware cluster.
How does Preferred Data Corporation help NC SMBs defend against INC and the broader RaaS market?
PDC has run managed IT and cybersecurity for NC small businesses since 1987 from High Point, with average client tenure north of 20 years and an on-site service radius of 200 miles. Three service lines map directly to the INC defense plan above.
- Managed IT services: Veeam hardening, immutable repository design, restore testing on a documented cadence, patch management on edge devices and ESXi hosts, tiered admin / LAPS implementation, vault rotation, and 24/7 monitoring of the full IT estate including backup health.
- Cybersecurity services: EDR/MDR rollout (Microsoft Defender for Business, CrowdStrike Falcon Go, SentinelOne) with human triage, phishing-resistant MFA enforcement, external attack-surface scanning to catch exposed RDP/VPN, incident response retainers, cyber-insurance alignment, and tabletop exercises for NC SMB leadership teams.
- Network infrastructure services: VLAN and microsegmentation design for NC manufacturers running flat OT/IT networks, vCenter and ESXi management network isolation, firewall hardening and patching, and architecture review for NC mid-market firms whose backup, production, and management traffic all share the same broadcast domain.
INC is the example, not the exception. The same controls that defend against INC defend against Qilin, Akira, and The Gentlemen - the three groups that out-listed INC in Q1 2026 per Storyboard18 / ZeroFox data. Building the controls once and operating them as a managed service is the calculus that keeps an NC manufacturer in High Point, a law firm in Greensboro, or a healthcare practice in Charlotte from waking up on a Monday morning to encrypted ESXi hosts and a leak-site countdown.
Ready to scope a managed IT + cybersecurity engagement against the 2026 ransomware market? Call (336) 886-3282 or book an INC readiness review.
Frequently Asked Questions
What is INC ransomware and how many victims has it claimed?
INC is a ransomware-as-a-service operation active since August 2023. Per The Hacker News, INC has claimed at least 830 victims on its data-leak site as of June 2026, with more than 65% of listings tied to US organizations. The group's top sectors are legal services, manufacturing, construction, technology, and healthcare. Per ZeroFox, INC ranked fourth in Q1 2026 with 120+ incidents.
Why does INC target law firms, manufacturers, and healthcare practices so aggressively?
Because ransom-payment economics favor those sectors. Law firms carry privileged client data with severe professional liability exposure. Manufacturers measure downtime in lost shipments per hour. Healthcare practices face HIPAA obligations and patient-safety pressure that compresses decision timelines. Per Halcyon, INC has been running a rapid campaign specifically against law firms throughout 2026, and the broader sector pattern on the ransomware.live INC group page confirms the same targeting bias.
Does INC encrypt VMware ESXi hosts?
Yes. Per The Hacker News and SecNews, INC operates a Linux/ESXi encryptor that has been rewritten in Rust alongside the Windows version. Encrypting the ESXi hypervisor takes down every VM hosted on it at once, which is why NC SMBs running virtualization clusters need hardened ESXi configurations: lockdown mode, no SSH or management interfaces on the public internet, MFA on vCenter, isolated management VLANs, and current patching.
How does the INC Rust rewrite change defense?
Operationally, Rust gives INC one codebase that compiles cleanly for Windows, Linux, and ESXi, and produces binaries that are harder for antivirus vendors and reverse engineers to dissect. The defensive implication is that signature-based AV is a weaker control in 2026 than it was in 2023. Behavioral EDR with 24/7 MDR triage - Microsoft Defender for Business, CrowdStrike Falcon Go, SentinelOne, or equivalent - is the layer that detects Rust-rewritten payloads during execution rather than relying on signature matches.
Has INC bypassed Veeam backup encryption?
INC has built a credential dumper that targets newer Veeam deployments, including the salted DPAPI credential encryption introduced in recent Veeam releases, per SecNews. If Veeam shares credentials with production Active Directory, if the Veeam service account is also a domain admin, or if the backup repository is reachable using those harvested credentials, INC takes the backups before encryption starts. The defense is to separate Veeam credentials, separate the backup management domain, and use immutable repositories (hardened Linux repos with immutability flags or object-lock-enabled S3 storage).
Should an NC SMB ever pay an INC ransom demand?
The ransom-payment decision needs to be made in advance by the board, not in the first 24 hours of an incident. The right policy considers: cyber-insurance carrier guidance, OFAC sanctions exposure on the receiving wallet, the cost and time of restoring from verified backups versus paying, the practical reality that decryptors often fail or run slowly on large estates, and that paying funds the next round of attacks. The harder operational answer is to make the question moot - immutable backups, tested restore procedures, segmented networks, and EDR/MDR with 24/7 human triage put an NC SMB in a position to recover without paying.
What's the difference between INC and Qilin, Akira, or The Gentlemen?
Per Storyboard18 / ZeroFox Q1 2026 data, Qilin (338 incidents in Q1), Akira (197), and The Gentlemen (192) were the top three ransomware groups in Q1 2026, with INC fourth at 120+. The operational details differ - affiliate splits, initial-access preferences, leak-site cadence - but the SMB-side defenses overlap almost entirely: phishing-resistant MFA, patched edge devices, segmented networks, immutable backups, EDR/MDR, and a tested IR plan. The control investment that defends against INC also defends against the other three.
Related Resources
- Managed IT Services - Veeam hardening, immutable backup design, restore testing, 24/7 monitoring
- Cybersecurity Services - EDR/MDR, MFA enforcement, attack-surface scanning, IR retainers
- Network Infrastructure Services - VLAN segmentation, ESXi management isolation, firewall hardening
- Contact Preferred Data Corporation - INC ransomware readiness for NC SMBs
- The Gentlemen Ransomware 90% Affiliate Split: NC SMB Defense - Companion RaaS economics post
- NightSpire Ransomware + Fortinet CVE-2024-55591: NC Manufacturer Defense - Companion edge-device exploitation post
- Veeam CVE-2026-44963 Backup RCE: NC SMB Ransomware Defense - Companion Veeam-specific hardening post
- Conti Plea June 2026: NC SMB Ransomware Payment and Reporting Plan - Companion ransomware payment policy post