The INC ransomware group has built a sustained operation not by deploying novel exploits but by disciplining itself around fundamentals — credential theft, living-off-the-land techniques, and deliberate sector selection. Healthcare sits near the top of that target list precisely because clinical disruption converts directly into urgency, and urgency converts into ransom payments.
Why healthcare draws INC's attention
Ransomware operators choose targets by calculating the ratio of disruption to payout. Healthcare scores high on that calculation: patient safety obligations, regulatory exposure, and the absence of operational redundancy in many independent and community settings all compress the window in which a practice or hospital can tolerate a shutdown.
INC has shown consistency in this logic. Rather than scattering attacks across industries, the group concentrates on verticals where the cost of staying offline exceeds the cost of paying. Healthcare, alongside a small number of other critical-service industries, meets that threshold reliably.
The mechanics: ordinary techniques, disciplined execution
What distinguishes INC from more technically ambitious groups is operational consistency rather than novel capability. Reporting on the group's methods points to a pattern built on well-documented techniques:
- Initial access through exposed credentials. Phishing campaigns and the purchase of previously stolen credentials from initial-access brokers remain the primary entry points, reflecting how often valid account details sit unprotected without multi-factor authentication enforcement.
- Living-off-the-land movement. Once inside, operators use tools and processes already present in the target environment — legitimate remote management software, built-in scripting engines — to avoid triggering signature-based detection.
- Deliberate dwell time. The group maps network topology, identifies backup infrastructure, and exfiltrates data before deploying encryption, ensuring that recovery options are degraded before the ransom demand appears.
None of these techniques require sophisticated tooling. All of them are effective against environments that have not enforced multi-factor authentication, segmented clinical and administrative networks, or validated that backup copies remain offline and intact.
What this signals for independent practices
The INC pattern is a direct indictment of deferred maintenance on foundational controls. Groups that operate this way are, in effect, performing continuous reconnaissance against the healthcare sector and filtering for the practices and facilities that have left the most common gaps open.
For independent practice administrators, the relevant question is not whether the group is technically advanced — it is not — but whether the controls most likely to interrupt its methods are in place. Multi-factor authentication on all remote access and email, network segmentation that isolates clinical systems from general administration, and offline backup copies that are tested for restoration completeness are the three areas where INC's documented approach is most likely to stall.
The group's durability also reflects a broader market dynamic: as long as healthcare organizations pay at rates that justify the operational costs of running a ransomware affiliate program, the sector will continue to attract groups willing to do the careful, unglamorous work of basic intrusion. Reducing payment rates requires reducing successful intrusions, which requires closing the gaps these operators have shown they will reliably find.