INC Ransomware is actively targeting Australian businesses in professional services and healthcare. In March 2026, the Australian Cyber Security Centre (ACSC) issued a joint advisory with New Zealand's NCSC and CERT Tonga confirming that INC Ransomware has compromised at least 11 Australian organisations since July 2024. The targets: accountants, lawyers, consultants, and healthcare providers.
Read on for who INC Ransomware is, how they get in, what they do once inside, and the steps to take this week.
Last updated: April 2026. This post has been updated to reflect April 2026 patch requirements and the latest ACSC guidance.
| Group type | Ransomware-as-a-Service (RaaS) |
| Active since | 2023 |
| Australian incidents confirmed | 11 (July 2024 – March 2026) |
| Primary targets | Accounting, legal, healthcare, consulting |
| Primary entry methods | Spear-phishing, purchased credentials, unpatched systems |
| Extortion method | Double-extortion (encrypt + publish) |
| ACSC advisory | March 2026 (joint with NZ NCSC and CERT Tonga) |
Who is INC Ransomware?
INC Ransomware is a ransomware-as-a-service (RaaS) operation. The core group develops and maintains the malware, then rents it out to "affiliates" who carry out the actual attacks in exchange for a share of the ransom. This model scales in a way traditional criminal gangs cannot. There is not one team targeting Australian businesses. There are many.
INC first appeared in 2023, targeting mid-market businesses and professional services firms across the United States and Europe. By mid-2024, they shifted focus to the Asia-Pacific region.
The thing that separates INC from older groups is double-extortion: they steal your data before encrypting your systems. When the ransom demand arrives, you are being asked to pay twice — once to get your systems back, and again to prevent your client data, contracts, and financial records from being published on their public leak site.
For a professional services firm, the second threat is often worse than the first. A law firm's client files, an accountant's tax records, a medical practice's patient data. Publication does not just create a legal liability problem. It ends client relationships.
How INC gets into your business
The ACSC advisory identifies three methods INC affiliates use to gain initial access. None require sophisticated hacking. They are gaps that most small businesses have not closed.
Spear-phishing emails
Spear-phishing is targeted phishing. The attacker researches your business before sending anything — your staff names, your suppliers, your IT provider. The email looks like it came from someone you trust.
A typical scenario: an email appears to come from your payroll platform or a government agency, asking you to verify your login details. One click, one fake login page, and the attacker has valid credentials for your systems.
AI has made this significantly worse. Generative AI tools can now write phishing emails that are grammatically flawless, contextually relevant, and free of the spelling mistakes that used to make them easy to spot.
Purchased credentials
INC affiliates do not always need to phish your staff. They can buy valid login credentials from dark-web marketplaces.
These credentials come from previous data breaches at other companies. If one of your employees has ever reused a work password on a personal account — a social media platform, an online retailer — that password may already be for sale. The attacker buys it, tests it against your Microsoft 365 login or VPN, and if there is no multi-factor authentication (MFA) in place, they are in. No phishing required, no malware deployed. They walk straight through the front door.
The ACSC advisory specifically calls out credential-based access as a key enabler of INC attacks in Australia.
Exploiting unpatched systems
Automated scanning tools probe every publicly accessible device on the internet for known vulnerabilities. If you have a firewall, VPN gateway, or remote desktop server that has not been patched recently, it will be found.
INC affiliates target vulnerabilities in tools like Citrix NetScaler, Fortinet FortiOS, and Windows Server. Patches for many of these vulnerabilities are available months before attackers exploit them. They know that patch management in small businesses is inconsistent, and they rely on it.
March 2026's Patch Tuesday closed two actively exploited Windows zero-days. Devices that have not applied those updates are currently vulnerable to known attack methods.
What happens after they get in
Here is the attack sequence, and where you can interrupt it.
Step 1: Initial access. Entry through one of the methods above.
Step 2: Reconnaissance. The attacker spends time inside your network before doing anything visible — mapping your most valuable data, your backup systems, your domain administrator accounts. This phase can last days or weeks.
Step 3: Lateral movement. The attacker moves from the initial point of entry to higher-value systems, escalating from a standard user account to administrator access.
Step 4: Data exfiltration. Your most sensitive data — client files, financial records, employee data, contracts — gets copied to the attacker's infrastructure. This is the "double" in double-extortion. Your backup does not help here because the data is already gone.
Step 5: Ransomware deployment. The encryption payload goes across your network. Files are locked. Systems go offline. The ransom note appears.
Step 6: The demand. Pay for decryption. Pay to prevent publication of your data. The ACSC advises against paying ransoms — payment does not guarantee data deletion and funds further criminal activity.
The average cost of a cyber incident for an Australian small or medium business is approximately $46,000. That covers downtime, recovery, and legal costs, but not reputational damage or client losses.
Who is most at risk in Australia?
The ACSC advisory is specific. INC has targeted Australian organisations in:
- Healthcare (medical practices, allied health, dental)
- Professional services (law, accounting, financial advisory, consulting)
- Critical infrastructure adjacent sectors
The pattern is deliberate:
- They hold sensitive personal data that is valuable to publish (Privacy Act obligations, professional secrecy, medical records)
- They often have limited internal IT security expertise compared to larger enterprises
- They are highly motivated to pay quickly because downtime and data exposure can end client relationships and trigger regulatory investigations
- Their average IT spend is low relative to the value of the data they hold
The July 2026 Privacy Act reforms will expand obligations significantly for many of these businesses, but right now, most are not ready. The OAIC launched its first-ever formal compliance sweep in early 2026, signalling that enforcement is no longer theoretical.
The three checks to run this week
You do not need a large IT budget to close the most critical gaps. The ACSC advisory points to the same three controls that appear in almost every post-incident review.
1. Audit multi-factor authentication on every external account
Multi-factor authentication (MFA) is the single most effective defence against credential-based attacks. If an attacker buys or phishes a valid username and password, MFA stops them from using it without the second factor.
Check MFA is enabled for:
- Microsoft 365 or Google Workspace (every user, not just admins)
- Your accounting software (Xero, MYOB, QuickBooks)
- Your VPN or remote access tool
- Your file storage (SharePoint, Google Drive, Dropbox)
- Any practice management software
This is a configuration change in your admin console, not a purchase. On Microsoft 365, go to the admin centre, open Security, and check Secure Score. Microsoft will tell you exactly which accounts do not have MFA and rank the risk.
2. Check your domain for leaked credentials
Go to haveibeenpwned.com and search your business email domain. This free service aggregates data from thousands of known breaches and will tell you whether any of your staff email addresses have appeared in leaked credential databases.
If results come back, change those passwords immediately and enable MFA on the affected accounts. Treat any account found in a breach database as compromised until the password is changed.
3. Confirm March 2026 Windows updates are applied
Open Windows Update on every device and confirm the March 2026 cumulative update has been installed. It closes two actively exploited zero-day vulnerabilities. If you manage devices via Microsoft Intune, check the compliance dashboard for any devices that have not updated.
If you use a managed IT provider, ask them today for written confirmation that March 2026 updates have been deployed across all managed devices.
What good cyber security looks like for a professional services firm
The three checks above address immediate exposure. A more complete security posture covers:
Access control
Every staff member should have the minimum access required for their role. No shared admin accounts. No shared passwords. Leavers should have accounts disabled on their last day — not the day after, not when someone gets around to it.
Email security
Microsoft Defender for Office 365 or Google Workspace's advanced protection settings catch most phishing attempts before they reach inboxes. If you are not sure whether these are active, your IT provider should be able to confirm in five minutes.
Endpoint protection
Modern endpoint detection and response (EDR) tools go beyond traditional antivirus. They detect behavioural indicators of attack — lateral movement, credential harvesting — not just known malware signatures.
Backup and recovery
The 3-2-1-1 backup rule: three copies of data, on two different media types, with one offsite, and one air-gapped (disconnected from the network). Test recovery quarterly. An untested backup is not a backup.
Incident response plan
Know what you will do on day one of a breach before it happens. Read our guide on what to do in the first 10 minutes of a cyber attack — who to call, what to unplug, and what not to do. Who notifies clients? What are your Privacy Act reporting obligations? A written plan, even a basic one, reduces the chaos and cost of an incident significantly.
Frequently asked questions
Has INC Ransomware hit Australian businesses?
Yes. The ACSC confirmed in March 2026 that INC Ransomware compromised at least 11 Australian organisations between July 2024 and March 2026. The affected businesses were predominantly in professional services (accounting, legal, consulting) and healthcare.
What industries does INC Ransomware target in Australia?
Per the ACSC advisory: healthcare, accounting, legal, financial advisory, and consulting. These sectors hold sensitive client data, tend to have limited internal security resources, and are under real pressure to resolve incidents fast — which makes them more likely to pay.
How does INC Ransomware gain initial access?
INC affiliates use three main methods: spear-phishing emails designed to steal credentials, purchased login credentials from dark-web marketplaces sourced from previous breaches at unrelated companies, and exploitation of unpatched vulnerabilities in internet-facing systems such as firewalls, VPN gateways, and remote desktop servers.
Should Australian businesses pay the INC Ransomware demand?
The ACSC advises against it. Payment does not guarantee stolen data will be deleted or that systems will be fully restored, and it funds further criminal activity. If your business has been hit, contact the ACSC (1300 CYBER1) and an incident response provider before making any payment decision.
What is double-extortion ransomware?
Double-extortion means attackers steal your data before encrypting your systems. You then face two demands: pay to restore access to your encrypted files, and pay to stop your stolen data being published on a public leak site. For professional services firms, the second threat is often worse than the first — client records and confidential files exposed publicly can end relationships and trigger Privacy Act obligations.
What is the fastest way to reduce INC Ransomware exposure?
Enable multi-factor authentication (MFA) on all external accounts (Microsoft 365, accounting software, VPN), search your business email domain on haveibeenpwned.com for leaked credentials, and confirm March and April 2026 Windows security updates are applied to all devices. Those three steps address the entry points the ACSC advisory specifically calls out.
What Cubit Cyber recommends
INC Ransomware treats Australian professional services as a reliable target. The attack methods in the ACSC advisory are not sophisticated — they depend on gaps that most businesses have not closed.
We have responded to more than 100 ransomware incidents across Australia. The initial access almost always came down to one of those three vectors: a phishing email, a purchased credential, or an unpatched system. And in almost every case, a modest amount of preparation beforehand would have stopped the attack before it got started.
A Cyber Security Assessment gives you a prioritised list of gaps ranked by real-world risk to your business. We write findings in plain English so that business owners can make informed decisions about what to fix and in what order.
Get in touch with the Cubit Cyber team to discuss a Cyber Security Assessment for your business. You can also explore our security assessment services to understand exactly what we review and how we prioritise findings.