Cybersecurity Incident Analysis Jun 18, 2026 6 min read ← All posts

INC Ransomware Incident Analysis: Exploiting Citrix NetScaler and Fortinet Vulnerabilities Through Double Extortion Attacks

INC Ransomware Incident Analysis: Exploiting Citrix NetScaler and Fortinet Vulnerabilities Through Double Extortion Attacks

Executive Summary

Publication Date: 2026-06-17

INC Ransomware has rapidly ascended as a formidable threat actor in the global cybercrime ecosystem since its emergence in mid-2023. Operating under a Ransomware-as-a-Service (RaaS) model, the group has demonstrated a disciplined, methodical approach that leverages fundamental attack vectors and exploits widely known vulnerabilities. By focusing on the basics—such as exploiting unpatched systems, abusing legitimate administrative tools, and targeting sectors where operational disruption is most costly—INC Ransomware has achieved a high rate of success across healthcare, manufacturing, professional services, and critical infrastructure. This report provides a comprehensive technical analysis of the group’s tactics, techniques, and procedures (TTPs), observed indicators of compromise (IOCs), and actionable mitigation strategies. The findings are based on open-source intelligence and public advisories, with all sources and publication dates referenced for transparency and further research.

Technical Information

INC Ransomware: Operational Overview

INC Ransomware is a RaaS operation first observed in mid-2023, with a clear focus on maximizing impact through operational discipline and the exploitation of basic security lapses. The group’s campaigns are characterized by double extortion—encrypting victim data while simultaneously exfiltrating sensitive information for leverage in ransom negotiations. INC’s cross-platform payloads target Windows, Linux, and VMware ESXi environments, enabling broad enterprise compromise.

Initial Access

INC affiliates gain initial access through a combination of phishing, credential theft, and exploitation of unpatched vulnerabilities. The most commonly exploited vulnerabilities include CVE-2023-3519 (affecting Citrix NetScaler ADC and NetScaler Gateway) and CVE-2023-48788 (impacting Fortinet FortiClient EMS). These vulnerabilities allow unauthenticated remote code execution and SQL injection, respectively, providing attackers with privileged access to enterprise networks. In many cases, initial access brokers facilitate the sale of compromised credentials or footholds, streamlining the ransomware deployment process.

Foothold and Reconnaissance

Once inside the network, INC operators employ “living-off-the-land” techniques, using legitimate administrative tools such as net.exe, wmic.exe, and PowerShell to enumerate domain users, groups, and assets. Tools like Advanced IP Scanner and LDAP queries are used to map the network and identify high-value targets, including domain controllers and backup servers. Credential harvesting is performed using Mimikatz and custom scripts (e.g., VeeamCreds.ps1), enabling lateral movement and privilege escalation.

Lateral Movement and Privilege Escalation

INC affiliates move laterally using PsExec, WMI, and remote desktop utilities such as AnyDesk and TightVNC. Privilege escalation is achieved by targeting domain administrator accounts or creating new privileged users. The group is known to terminate security tools and backup processes using Process Hacker and custom utilities like ProcTerminator, ensuring minimal resistance during the encryption phase.

Data Exfiltration

Prior to encryption, INC operators compress sensitive data using 7-Zip and exfiltrate it via cloud storage services such as MegaSync (to Mega.nz). Large data transfers are typically scheduled overnight to evade detection. The exfiltrated data is used as leverage in double extortion schemes, with threats of public disclosure on Tor-based leak sites if ransom demands are not met.

Encryption and Extortion

The ransomware payload employs partial file encryption using AES-128 in CTR mode, with key protection via Curve25519 elliptic curve cryptography. The malware is multi-threaded, spawning encryption threads per CPU core for maximum speed. Ransom notes—INC-README.txt and INC-README.html—are dropped in affected directories, and file extensions are changed to .inc, .INC, or .LYNX. The group aggressively notifies victims by printing ransom notes, changing desktop wallpapers, and even sending messages to network printers. Negotiations are conducted via Tor-based portals, and non-compliant victims are publicly shamed on INC’s leak blog.

Indicators of Compromise (IOCs)

Key IOCs associated with INC Ransomware include the presence of files with .inc, .INC, or .LYNX extensions, ransom notes named INC-README.txt or INC-README.html, and evidence of exploitation of CVE-2023-3519 and CVE-2023-48788. Behavioral indicators include deletion of Volume Shadow Copies, manipulation of safe mode boot settings, mass termination of SQL, backup, and security processes, creation of new admin accounts, and large outbound data transfers to cloud storage providers.

Exploitation in the Wild

INC Ransomware has been observed targeting organizations in the United States, United Kingdom, Canada, Australia, and Germany, with additional incidents reported across Europe, Asia-Pacific, Latin America, and the Middle East. Notably, there are no confirmed attacks in Russia or CIS countries, consistent with the operational patterns of many Eastern European cybercriminal groups. High-profile breaches in healthcare and manufacturing have resulted in significant operational disruption and public data leaks.

MITRE ATT&CK Mapping

INC’s TTPs align with the following MITRE ATT&CK techniques: Initial Access via Phishing (T1566.001) and Exploit Public-Facing Application (T1190); Execution through Command and Scripting Interpreter (T1059); Persistence by Create Account (T1136); Privilege Escalation using Valid Accounts (T1078); Defense Evasion via Disable or Modify Tools (T1562.001); Credential Access through OS Credential Dumping (T1003); Lateral Movement with SMB/Windows Admin Shares (T1021.002) and Remote Desktop Protocol (T1021.001); Exfiltration to Cloud Storage (T1048.002); and Impact by Data Encrypted for Impact (T1486) and Inhibit System Recovery (T1490).

Notable Tactics: “Mastering the Basics”

INC’s operational success is attributed to its relentless focus on exploiting basic security lapses. The group rapidly weaponizes well-known vulnerabilities in widely deployed products such as Citrix NetScaler and Fortinet FortiClient EMS, often before organizations have applied patches. By relying on native system tools and minimizing the use of custom malware, INC evades many traditional security controls. Their disciplined approach to double extortion, aggressive victim notification, and public shaming further increases the likelihood of ransom payment.

Mitigation Strategies

To defend against INC Ransomware, organizations should immediately patch Citrix NetScaler (CVE-2023-3519) and Fortinet FortiClient EMS (CVE-2023-48788), enforce multi-factor authentication (MFA) on all remote access points, restrict RDP and SSH exposure from the internet, and segment critical infrastructure such as domain controllers and backup servers. Offline or immutable backups should be maintained with separate credentials, and endpoint detection and response (EDR) solutions should be configured to detect tools like Mimikatz, PsExec, and VSS deletion. Continuous monitoring for unusual admin account activity and off-hours authentication is essential, as is blocking or monitoring access to file-sharing services like Mega.nz. Regular testing of backup restoration procedures and rehearsing ransomware-specific incident response plans are critical for resilience.

References

  • ProvenData: INC Ransomware Tactics, Evolution, and Incident Response Guide (2026-06-17) – https://www.provendata.com/blog/inc-ransomware
  • BackBox News: INC Ransomware Thrives by Mastering the Basics (2026-06-17) – https://news.backbox.org/2026/06/17/inc-ransomware-thrives-by-mastering-the-basics/
  • SOC Defenders: INC Ransomware Targeting Healthcare (2026-05-22) – https://www.socdefenders.ai/item/105b360f-34ed-4c93-8c19-17e2b8d8a3d0
  • Australian Cyber Security Centre Advisory (2026-06-10) – https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/inc-ransom-affiliate-model-enabling-targeting-of-critical-networks
  • NVD: CVE-2023-3519 – https://nvd.nist.gov/vuln/detail/CVE-2023-3519
  • NVD: CVE-2023-48788 – https://nvd.nist.gov/vuln/detail/CVE-2023-48788
  • MITRE ATT&CK: Ransomware Techniques – https://attack.mitre.org/techniques/enterprise/
  • Citrix Security Bulletin CTX561482 – https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
  • Fortinet PSIRT FG-IR-24-007 – https://fortiguard.com/psirt/FG-IR-24-007
  • INC Ransomware Twitter Hashtag – https://twitter.com/hashtag/inc?ransom?f=live

Rescana is here for you

Rescana empowers organizations to proactively manage third-party risk and strengthen their cybersecurity posture through our advanced TPRM platform. Our solutions provide continuous monitoring, automated risk assessments, and actionable intelligence to help you stay ahead of evolving threats. For any questions or to discuss how Rescana can support your security strategy, we are happy to answer questions at ops@rescana.com.

Recent Posts

See All →
Klue OAuth Integration Breach Exposes Salesforce Customer Data in Icarus Supply Chain Attack
Jun 21, 2026
Klue OAuth Integration Breach Exposes Salesforce Customer Data in Icarus Supply Chain Attack
Prinz Eugen Ransomware Targets Recent Files and Abuses Remote Management Tools: Technical Analysis and Supply Chain Risks
Jun 21, 2026
Prinz Eugen Ransomware Targets Recent Files and Abuses Remote Management Tools: Technical Analysis and Supply Chain Risks
Salesloft Drift OAuth Token Breach Enables Salesforce Data Theft in UNC6395 'Icarus' Attack Campaign (August 2026)
Jun 21, 2026
Salesloft Drift OAuth Token Breach Enables Salesforce Data Theft in UNC6395 'Icarus' Attack Campaign (August 2026)