INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023

Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023. "The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis

According to recent reporting, the INC ransomware group has rapidly evolved into a major ransomware-as-a-service (RaaS) operation since mid-2023, leveraging affiliates, double- or multi-extortion tactics, and cross-platform payloads to target hundreds of organizations across sectors including healthcare, manufacturing, and government.[1][5] Disruptions to other large RaaS groups such as LockBit and BlackCat reportedly drove affiliate migration to INC, contributing to at least several hundred publicly known attacks and leak-site victims.[3][5] From a CyberSE.AI perspective, this growth in RaaS capacity, combined with broader industry evidence that AI tools are increasingly used to automate target selection, vulnerability exploitation, and social engineering in ransomware campaigns,[7][9] makes malicious AI use a high-severity risk: defenders should assume ransomware operators will progressively adopt AI for reconnaissance, phishing, and scaling operations. Organizations should prioritize AI-aware security posture reviews, continuous red teaming that includes AI-enabled ransomware scenarios, and executive-level AI security governance to ensure incident response, identity controls, an