INC ransomware uses Rust-based Windows and Linux encryptors
INC ransomware uses Rust-based Windows and Linux encryptors in new attacks, rapidly evolving into a top-tier cyberthreat. Since emerging in 2023, the group has launched attacks against over 800 victims worldwide. This shift signals a significant escalation in both technical sophistication and the breadth of targeted industries.
How INC ransomware operates and why it stands out
INC ransomware follows the Ransomware-as-a-Service (RaaS) model. In this setup, core developers create the malicious tools and infrastructure, then recruit affiliates to execute attacks. This model has enabled INC to scale quickly, leveraging a wide network of cybercriminals with varying skillsets.
The use of Rust-based encryptors
One of the most notable developments is the adoption of Rust-based encryptors for both Windows and Linux/ESXi systems. Rust is a relatively new programming language, valued for its speed, safety and cross-platform capabilities. Malware written in Rust is harder for traditional security tools to detect, due to its novelty and potential to evade signature-based defences.
- Rust-based encryptors run on both Windows and virtualisation platforms like Linux/ESXi.
- They complicate analysis by security researchers and antivirus vendors.
- The codebase is more efficient and reliable, minimising execution errors during attacks.
Broader targeting across industries
Initially, INC ransomware focused on healthcare and education, sectors that often lack robust cybersecurity budgets and face strong regulatory pressure to restore operations quickly. Recently, the group has expanded to legal services, manufacturing, construction and technology. This broader focus increases the pool of potential victims and puts additional pressure on organisations with sensitive data and critical operations.
Why the evolution of INC ransomware matters
The technical and organisational evolution of INC ransomware poses several threats for businesses of all sizes, particularly small and medium-sized organisations that rely heavily on Windows and virtualised infrastructure. Understanding these risks is essential for proactive defence.
Cross-platform attack capability
By rewriting their encryptors in Rust, INC can target a wider range of systems with one toolset. This means that organisations running mixed environments (for example, Windows workstations and Linux-based servers or ESXi virtualisation) are all at risk from a single campaign.
Enhanced credential theft tooling
INC has also matured its credential theft capabilities. This means attackers can gain access to privileged accounts, spread laterally and circumvent basic security controls more easily. With these tools, ransomware affiliates can achieve deeper compromise before deploying the ransomware payload.
Streamlined affiliate onboarding
The group has refined its affiliate programme, lowering the barrier to entry for new cybercriminals. By making it easier for less experienced attackers to join, INC increases the likelihood and frequency of attacks, broadening the threat landscape.
How organisations can defend against Rust-based ransomware attacks
Given the sophistication of INC ransomware, organisations should review and enhance their cyber defences. The following steps can help reduce the risk of successful attacks:
1. Prioritise patch management
- Ensure all systems, especially Windows servers and Linux/ESXi hosts, are up to date with the latest security patches.
- Regularly audit software inventories to identify and remediate outdated or unsupported components.
2. Strengthen credential security
- Implement multi-factor authentication (MFA) for all remote access and privileged accounts.
- Regularly review and restrict administrative privileges to the minimum necessary users.
- Monitor for unusual authentication activity and failed login attempts.
3. Bolster backup and recovery strategies
- Maintain regular, offline backups of critical data and system images.
- Test backup restoration procedures to ensure they are effective and timely.
- Store backups in a separate network segment, isolated from production systems.
4. Improve endpoint and network detection
- Deploy modern endpoint detection and response (EDR) solutions that can recognise suspicious behaviour, not just known malware signatures.
- Implement network segmentation to limit the spread of ransomware across the organisation.
- Set up alerts for mass file encryption or abnormal file access patterns.
5. Conduct regular user awareness training
- Educate staff on phishing, social engineering and suspicious link or attachment detection.
- Run simulated phishing exercises to reinforce good security habits.
Planning for ransomware resilience
Beyond technical controls, organisations should develop a comprehensive incident response plan that addresses ransomware attacks specifically. This includes:
- Establishing clear communication protocols for reporting suspicious activity.
- Creating decision trees for ransom payment, law enforcement notification and stakeholder communication.
- Practising response scenarios to test readiness and coordination among IT, legal and leadership teams.
Conclusion: Staying ahead of evolving ransomware threats
INC ransomware’s use of Rust-based encryptors for both Windows and Linux/ESXi platforms demonstrates the rapid advancement of cybercriminal methods. The adoption of more advanced programming techniques, combined with an expanded affiliate network and improved credential theft tools, puts a wide range of organisations at risk.
To mitigate these threats, organisations must stay vigilant, invest in layered security controls and maintain robust backup and response plans. Staying informed about the latest ransomware tactics and proactively adjusting defences is key to minimising risk and ensuring operational continuity.
Originally reported by cybersecuritynews.com.
