Australia's own cyber security agency just rang the alarm bell. In March 2026, the Australian Cyber Security Centre (ACSC) issued a joint advisory with New Zealand's NCSC and CERT Tonga confirming that INC Ransomware has compromised at least 11 Australian organisations since July 2024. The targets? Professional services businesses: accountants, lawyers, consultants, and healthcare providers.
If your business fits that description, this post is for you. We will explain who INC Ransomware is, exactly how they get in, what they do once inside, and the specific steps you should take this week to reduce your exposure.
Who Is INC Ransomware?
INC Ransomware is a ransomware-as-a-service (RaaS) operation. That means the core group develops and maintains the malware, then rents it out to "affiliates" who carry out the actual attacks in exchange for a share of the ransom. This model has made groups like INC far more dangerous than traditional criminal gangs because it scales. There is not one team targeting Australian businesses. There are many.
INC first appeared in 2023 and quickly gained notoriety for targeting mid-market businesses and professional services firms across the United States and Europe. By mid-2024, they shifted focus to the Asia-Pacific region, and Australia is now firmly in their sights.
What sets INC apart from older ransomware groups is their use of double-extortion. This is not just about locking your files any more. INC steals your data first, then encrypts your systems. When you receive the ransom demand, you are being asked to pay twice: once to get your systems back, and again to prevent your client data, contracts, and financial records from being published on their public leak site.
For a professional services firm, the second threat is often worse than the first. A law firm's client files, an accountant's tax records, a medical practice's patient data. Publication of that information does not just create a legal liability problem. It ends client relationships.
How INC Gets Into Your Business
The ACSC advisory identifies three primary methods INC affiliates use to gain initial access. None of them require sophisticated, nation-state-level hacking. They are all well-understood attack vectors that most small businesses remain exposed to.
Spear-Phishing Emails
Spear-phishing is targeted phishing. Unlike mass-spam campaigns, spear-phishing emails are researched and personalised. The attacker may know your business name, your staff names, your suppliers, or even the name of your accountant. The email looks like it came from someone you trust.
A common scenario: an email appears to come from your IT provider, your payroll platform, or a government agency, asking you to verify your login details or approve a document. One click, one login on a fake page, and the attacker has valid credentials for your systems.
AI has made this significantly worse. Generative AI tools can now write phishing emails that are grammatically flawless, contextually relevant, and free of the spelling mistakes that used to give scams away.
Purchased Credentials
This is the attack vector that surprises most business owners. INC affiliates do not always need to phish your staff. They can simply buy valid login credentials from dark-web marketplaces.
These credentials come from previous data breaches at other companies. If one of your employees has ever used the same password for a work account and a personal account (say, a social media platform or an online retailer that was breached), that password may already be for sale.
The attacker buys the credentials, tests them against your Microsoft 365 login or your VPN, and if there is no multi-factor authentication (MFA) in place, they are in. No phishing required. No malware deployed. They walk straight through the front door.
This is why the ACSC advisory specifically calls out credential-based access as a key enabler of INC attacks in Australia.
Exploiting Unpatched Systems
Automated scanning tools run continuously across the internet, probing every publicly accessible device for known vulnerabilities. If you have a firewall, a VPN gateway, a remote desktop server, or any internet-facing device that has not been patched recently, it will be found.
INC affiliates specifically target vulnerabilities in enterprise tools like Citrix NetScaler, Fortinet FortiOS, and Windows Server. Many of these vulnerabilities have patches available, sometimes for months, before they are exploited. The attackers know that patch management in small businesses is inconsistent, and they exploit that gap.
March 2026's Patch Tuesday closed two actively exploited Windows zero-days. If those updates have not been applied to your business's devices, those machines are currently vulnerable to known attack methods.
What Happens After They Get In
Understanding the attack sequence is important because it helps you see where you can stop it, and what the consequences are if you cannot.
Step 1: Initial access. The attacker gains entry through one of the methods above.
Step 2: Reconnaissance. Before doing anything visible, the attacker spends time inside your network quietly mapping it. They identify your most valuable data, your backup systems, and your domain administrator accounts. This phase can last days or weeks.
Step 3: Lateral movement. The attacker moves from the initial point of entry to higher-value systems. If they got in through a standard user account, they will escalate privileges to gain administrator access.
Step 4: Data exfiltration. The attacker copies your most sensitive data to their own infrastructure. Client files, financial records, employee data, contracts. This is the "double" in double-extortion. The backup you thought would protect you does not matter here because the data is already gone.
Step 5: Ransomware deployment. The attacker deploys the encryption payload across your network. Files are locked. Systems go offline. The ransom note appears.
Step 6: The demand. You receive a demand. Pay for decryption. Pay to prevent publication of your data. The ACSC advises against paying ransoms, noting that payment does not guarantee data deletion and funds further criminal activity.
The average cost of a cyber incident for an Australian small or medium business is approximately $46,000. That figure includes downtime, recovery costs, and legal costs, but not reputational damage or client losses.
Who Is Most at Risk in Australia?
The ACSC advisory is specific. INC has targeted Australian organisations in:
- Healthcare (medical practices, allied health, dental)
- Professional services (law, accounting, financial advisory, consulting)
- Critical infrastructure adjacent sectors
This is not random. These sectors are targeted deliberately because:
- They hold sensitive personal data that is valuable to publish (Privacy Act obligations, professional secrecy, medical records)
- They often have limited internal IT security expertise compared to larger enterprises
- They are highly motivated to pay quickly because downtime and data exposure can end client relationships and trigger regulatory investigations
- Their average IT spend is low relative to the value of the data they hold
The July 2026 Privacy Act reforms will expand obligations significantly for many of these businesses, but right now, most are not ready. The OAIC launched its first-ever formal compliance sweep in early 2026, signalling that enforcement is no longer theoretical.
The Three Checks to Run This Week
You do not need a large IT budget to close the most critical gaps. The ACSC advisory points to the same three controls that appear in almost every post-incident review. If you do nothing else after reading this post, do these three things.
1. Audit Multi-Factor Authentication on Every External Account
Multi-factor authentication (MFA) is the single most effective defence against credential-based attacks. If an attacker buys or phishes a valid username and password, MFA stops them from using it without access to the second factor (typically a phone app or SMS code).
Check MFA is enabled for:
- Microsoft 365 or Google Workspace (every user, not just admins)
- Your accounting software (Xero, MYOB, QuickBooks)
- Your VPN or remote access tool
- Your file storage (SharePoint, Google Drive, Dropbox)
- Any practice management software
This is a configuration change in your admin console, not a purchase. If you are on Microsoft 365, go to the admin centre, open Security, and check Secure Score. Microsoft will tell you exactly which accounts do not have MFA and rank the risk for you.
2. Check Your Domain for Leaked Credentials
Visit haveibeenpwned.com and search your business email domain. This free service aggregates data from thousands of known breaches and will tell you whether any email addresses from your domain have been found in leaked credential databases.
If results come back, those accounts should have their passwords changed immediately, and MFA should be enabled if it is not already. Any account found in a breach database should be treated as compromised until the password is changed.
3. Confirm March 2026 Windows Updates Are Applied
Open Windows Update on every device and confirm the March 2026 cumulative update has been installed. This update closes two actively exploited zero-day vulnerabilities. If you manage devices via Microsoft Intune or a similar tool, check the compliance dashboard to identify any devices that have not updated.
If you use a managed IT provider, contact them today and ask for written confirmation that March 2026 updates have been deployed across all managed devices.
What Good Cyber Security Looks Like for a Professional Services Firm
The three checks above address immediate exposure. A more complete security posture for a professional services firm includes:
Access control. Every staff member should have the minimum access required for their role. No shared admin accounts. No shared passwords. Leavers should have accounts disabled on their last day.
Email security. Microsoft Defender for Office 365 or Google Workspace's advanced protection settings should be active. These tools catch most phishing attempts before they reach inboxes.
Endpoint protection. Modern endpoint detection and response (EDR) tools go well beyond traditional antivirus. They detect behavioural indicators of attack, such as lateral movement and credential harvesting, not just known malware signatures.
Backup and recovery. The 3-2-1-1 backup rule: three copies of data, on two different media types, with one offsite, and one air-gapped (disconnected from the network). Test recovery quarterly. An untested backup is not a backup.
Incident response plan. Know what you will do on day one of a breach before it happens. Who do you call? Who has the authority to take systems offline? Who notifies clients? What are your Privacy Act reporting obligations? A written plan, even a simple one, reduces the chaos and cost of an incident significantly.
What Cubit Cyber Recommends
The ACSC advisory is a clear signal that INC Ransomware views Australian professional services as a productive target. The attack methods they use are not exotic. They rely on gaps that most businesses have not closed.
At Cubit Cyber, we have responded to more than 100 ransomware incidents across Australia. In almost every case, the initial access came down to one of the three vectors above: a phishing email, a purchased credential, or an unpatched system. And in almost every case, a relatively small amount of preparation beforehand would have stopped the attack at the gate.
If you want to know where your business stands, a Cyber Security Assessment gives you a prioritised list of gaps ranked by the risk they represent to your business. We write our findings in plain English, without jargon, so that business owners can make informed decisions about what to fix and in what order.
Get in touch with the Cubit Cyber team to discuss a Cyber Security Assessment for your business.