INC Ransom emerged in mid-2023 and has steadily built one of the more consequential healthcare-focused ransomware operations in the current ecosystem. Their attack on NHS Dumfries and Galloway in March 2024 — in which they exfiltrated and published patient data including records relating to children — established a pattern of high-impact public sector targeting that has continued through 2025 and into 2026. Despite being less prominent than RansomHub or LockBit in total victim count, INC Ransom’s consistent targeting of healthcare, education, and government makes them a priority intelligence target for defenders in those sectors.
Group Background and Structure
INC Ransom first appeared in July 2023 and operated initially without a prominent public profile. The group runs a standard ransomware-as-a-service model with a core team managing infrastructure, payload development, and the data leak site, alongside a network of affiliates who conduct intrusions and deploy the payload in exchange for a revenue share.
The group’s rebranding activity is worth noting. Researchers at Huntress and Microsoft Threat Intelligence have tracked a cluster of activity under the name “Vanilla Tempest” that uses INC Ransom payloads, targeting particularly US and UK healthcare and education organisations. Whether this represents a formal affiliate brand, an alias for the core team’s own operations, or independent affiliates with consistent TTPs is unclear from open-source analysis. The practical implication: INC Ransom victims may appear under Vanilla Tempest attribution in some threat intelligence reports.
In mid-2025, the group reportedly sold their source code. This has been interpreted as either a genuine exit strategy (selling the asset before a law enforcement action) or an attempt to generate revenue while continuing operations under a new identity. The sale did not immediately result in observable decreased operational tempo — INC Ransom activity continued through 2025 and into 2026.
Technical Profile
INC Ransom uses both Windows and Linux encryptors, with the Linux variant used specifically against VMware ESXi hypervisors — a common pattern in 2025-2026 as virtualisation platforms have become a primary target for maximising encryption impact.
Initial access: Affiliates have been consistently observed exploiting internet-facing infrastructure:
- Citrix NetScaler vulnerabilities (CVE-2023-3519, CVE-2023-4966) were heavily used in 2023-2024 operations
- Exposure of Remote Desktop Protocol (RDP) to the internet remains a common initial access vector
- Phishing campaigns targeting healthcare administrative staff have been documented in several incidents
Lateral movement and pre-deployment: Post-access behaviour follows a pattern consistent with most double-extortion operators:
- Credential harvesting using tools including Mimikatz and living-off-the-land binaries
- Active Directory enumeration to map high-value targets including domain controllers and backup servers
- Data exfiltration via Rclone or MEGASync to cloud storage before encryption
- Disabling backup processes and attempting to delete VSS shadow copies before payload execution
Encryption: INC Ransom’s encryptor appends .INC to encrypted files and drops a ransom note (INC-README.txt) in encrypted directories. The encryptor supports selective encryption modes (targeting specific file extensions or directories) to reduce encryption time on large environments.
UK Healthcare Targeting: NHS Incidents
The pattern of NHS targeting makes INC Ransom specifically significant for UK defenders:
NHS Dumfries and Galloway (March 2024): The group published what they claimed was 3TB of patient data following a ransomware attack on the Scottish NHS board. The leak included sensitive patient records and, controversially, data relating to children’s mental health services. Scottish NHS later confirmed that the published data was genuine. The ICO opened an investigation.
NHS Yorkshire (2025): Continuing the healthcare focus, Yorkshire NHS experienced an INC Ransom-attributed incident affecting IT systems. Details of operational impact were limited in public reporting, but the pattern confirms a deliberate strategy of targeting NHS trusts.
The NHS is structurally attractive to this group for several reasons: high credential density in Active Directory environments that span clinical and administrative functions, political pressure that creates urgency in ransom negotiations, patient safety implications of extended downtime, and the well-documented challenges of security investment in under-resourced public health organisations.
Negotiation and Extortion Patterns
INC Ransom operates a standard double-extortion model: encrypt the victim’s environment and simultaneously exfiltrate data to threaten publication. Ransom demands have ranged from low-six-figures for smaller targets to multi-million dollar demands for large healthcare systems.
The group’s negotiation behaviour differs from some operators in their willingness to carry through on publication threats even when partial payments are made. Victims who paid partial ransoms or engaged in extended negotiations have still seen data published. This is operationally significant: it suggests that the negotiation process is more reliably resolved by either full payment or non-payment than by partial engagement.
The group has published victim data on both their primary leak site and secondary channels, including Telegram, to maximise exposure pressure. For healthcare victims, the threat of publishing patient data — with associated regulatory consequences and patient harm implications — is the primary extortion lever, often more than the encryption disruption itself.
Sector Targeting Distribution
Based on analysed victim claims:
- Healthcare (~35% of known victims): US and UK hospital systems, NHS trusts, dental and specialist practice groups
- Education (~20%): US K-12 school districts, UK universities, local authority education services
- Government / Public Sector (~15%): Local councils, central government contractors, public administration
- Manufacturing and Industrial (~15%): Mid-market industrial companies, primarily North America
- Other (~15%): Legal, financial services, professional services
The concentration in healthcare and public sector is notable — most ransomware groups target these sectors but not to this degree as a proportion of overall victim mix. This suggests deliberate affiliate selection or operational guidance favouring targets where extortion leverage is highest.
Detection and Response Considerations
For healthcare and public sector defenders, the specific indicators to prioritise:
- Citrix NetScaler exploitation: Monitor for CVE-2023-3519 and CVE-2023-4966 exploitation patterns if still running unpatched versions. The CISA advisory provides indicators.
- Rclone and MEGASync: Process creation of these tools on file servers or endpoints with access to file shares is a pre-encryption signal. Alert on Rclone execution in particular — it’s rarely legitimately used in clinical environments.
- VSS deletion activity:
vssadmin delete shadowsor equivalent commands are a reliable pre-encryption signal. This should be a high-priority alert in any SIEM deployment. - INC-README.txt creation: If encryption is underway, the ransom note file appears before the encryption process completes. Detection of this file creation event triggers an incident response before full environment encryption.
INC Ransom is unlikely to divert from healthcare and public sector targeting — these verticals have consistently produced ransom payments and media attention. For organisations in those sectors, INC-specific indicators should be in active monitoring.