The INC ransomware group has expanded its reach not through technical sophistication but through deliberate sector selection and disciplined execution of well-understood attack techniques. Healthcare figures prominently in that strategy because the calculus is straightforward: a hospital or clinic that cannot access patient records faces immediate clinical and legal consequences, which compresses the time an operator has to weigh whether to pay a ransom demand.

Why healthcare is a structural target

Ransomware operators choose victims by modeling the pain a given organization will feel when systems go dark. Healthcare scores high on that model for several compounding reasons.

• Operational dependency on uptime. Clinical workflows — medication administration, lab results, imaging, scheduling — rely on continuous access to electronic records. Even short outages translate into diverted ambulances, delayed procedures, and documented patient safety events.
• Regulatory exposure. A ransomware-driven breach triggers HIPAA breach notification obligations and potential OCR investigation, adding a second layer of pressure beyond the immediate operational disruption.
• Historically underfunded defenses. Independent and community practices often carry legacy systems and thin IT staff relative to the data they hold, creating a wider attack surface than the organization's size might suggest.

INC's approach exploits all three conditions without needing a zero-day exploit or custom malware. Published analysis describes the group applying credential theft, phishing, and known vulnerability exploitation — techniques that have appeared in threat briefings for years.

What "mastering the basics" means in practice

The INC group's operational discipline centers on a short list of techniques that remain effective precisely because many organizations have not closed the gaps those techniques require.

• Credential-based initial access. Phishing and purchased credentials from initial-access brokers give the group a foothold without triggering the signature-based detections that would catch known malware at the perimeter.
• Living-off-the-land execution. Once inside, operators use built-in administrative tools to move laterally and stage data exfiltration, limiting the behavioral footprint that endpoint detection must identify.
• Double-extortion pressure. Data is exfiltrated before encryption, so victims face both a recovery problem and a disclosure threat simultaneously — a combination that is particularly acute for covered entities holding protected health information.

The effectiveness of this playbook against healthcare targets is less a reflection of INC's ingenuity than a measure of how consistently the same control gaps appear across the sector.

Where independent practices carry the most exposure

Large health systems have begun investing in dedicated threat detection and incident response capacity. Independent practices — primary care, specialty groups, behavioral health, dental — generally have not, and INC's sector-agnostic basic-techniques approach means size provides little protection.

The control gaps that most directly enable this group's methods include: absence of phishing-resistant multi-factor authentication on remote access and email, infrequent or untested offline backups, flat network architectures that allow lateral movement once a single endpoint is compromised, and no documented incident response plan that staff have rehearsed.

None of those gaps require sophisticated remediation. They require consistent application of controls that the HIPAA Security Rule has required since 2005 and that NIST guidance has elaborated repeatedly since. The INC group's growth suggests that consistency, not novelty, remains the primary deficit in healthcare's defense.

What this signals about the next 12 months

The INC group's trajectory — methodical, sector-focused, technically unspectacular — is likely to be replicated by other ransomware operations that observe its success rate. Healthcare practices should expect continued high-volume targeting that does not announce itself through unusual technical indicators.

The practical implication is that threat detection strategies built around identifying novel malware will miss a meaningful share of intrusions. Detection programs oriented toward anomalous credential use, unusual administrative tool activity, and unexpected outbound data transfers are better aligned with the techniques this and similar groups apply. Tabletop exercises that simulate a ransomware event — including the HIPAA notification timeline and the decision about whether and how to restore from backup — give practice leadership a realistic picture of where their response plan holds and where it does not before an incident tests it under pressure.