INC Ransomware RaaS Claims 830 Victims Since 2023, Emerging as Top Threat in 2026
What Happened — Researchers tracking ransomware‑as‑a‑service (RaaS) operations report that the “INC” gang has moved from a niche player to one of the most prolific ransomware groups in 2026, with 830 confirmed victim organizations between August 2023 and June 2026. The surge follows the disruption of rival gangs (LockBit, BlackCat), prompting affiliates to migrate to the INC platform.
Why It Matters for Compliance & Audit Readiness
- SOC 2‑aligned continuous‑compliance programs require documented control mapping for ransomware‑related controls (e.g., data‑back‑up, encryption, incident‑response) so auditors can see that protective measures are in place before an attack.
- Ongoing evidence collection (log retention, backup verification, recovery‑test results) provides the defensible audit trail needed to demonstrate that the organization met the Security and Availability Trust Services Criteria during a breach.
- The Control‑Mapping capability in Verisq’s Trust Center automates the linkage of ransomware‑mitigation controls to SOC 2 criteria and continuously gathers evidence for audit readiness.
Who Is Affected — Enterprises across all verticals (finance, healthcare, SaaS, manufacturing, etc.) that rely on legacy backups, unpatched endpoints, or insufficient incident‑response playbooks.
Recommended Actions
- Map your backup, encryption, and incident‑response controls to the SOC 2 Security and Availability criteria.
- Implement continuous evidence collection (e.g., automated backup‑integrity logs, recovery‑test reports) and store them in a tamper‑evident repository.
- Conduct a tabletop ransomware response exercise and update your incident‑response playbook with lessons learned from recent RaaS trends.
Source: The Hacker News
Technical Notes — INC operates as a RaaS platform; affiliates gain access to encryption tools, exfiltration modules, and “double‑extortion” kits. Attack vectors typically include phishing, credential theft, and exploitation of unpatched vulnerabilities. Data types compromised range from PII to proprietary business information.