The INC ransomware group has maintained an outsized footprint in healthcare not through technical novelty but through deliberate sector selection — identifying environments where operational disruption translates almost immediately into financial and patient-safety pressure. Dark Reading's analysis of the group's activity illustrates how a threat actor can remain effective without deploying sophisticated new tooling, simply by choosing targets where downtime is intolerable.
Why healthcare remains a preferred target
Ransomware operators evaluate targets partly on willingness to pay and partly on speed-to-payment. Healthcare organizations score high on both dimensions. Clinical workflows depend on real-time data access, and even short-duration outages can force procedure cancellations, divert ambulances, or disrupt medication administration. That operational dependency compresses the time between infection and ransom negotiation in ways that enterprises in other sectors do not experience as acutely.
INC has built its campaign around that calculus. Rather than investing in zero-day exploits or custom malware, the group relies on well-documented initial access techniques — phishing, exposed remote-access services, and credential theft — and moves laterally through networks that were not segmented to contain the spread. The sophistication, such as it is, lies in target selection and timing, not in the malware itself.
The structural problem this exposes
The group's continued effectiveness points to a gap between what healthcare organizations know they should do and what their environments actually reflect. Network segmentation that would limit lateral movement, multifactor authentication on remote-access entry points, and offline backup strategies that survive encryption are all well-established controls. Their absence at affected organizations is not a knowledge failure; it is a prioritization and resource failure.
Small and independent practices face the same adversary profile as large health systems but with significantly fewer IT resources. INC does not appear to differentiate meaningfully by organization size — a clinic that processes claims electronically and stores patient records in a networked EHR presents an attackable surface regardless of its headcount.
What this signals about the next 12 months
The pattern INC demonstrates — low-complexity tradecraft, high-pressure sector targeting — is reproducible and does not require the criminal infrastructure of a large ransomware-as-a-service operation. Other groups have already adopted similar approaches. That means healthcare organizations should not interpret any single takedown or law-enforcement action against a named group as a reduction in overall threat volume.
Practices should treat the following controls as the operational floor, not aspirational goals:
- Multifactor authentication on all remote access points. Credential theft is a primary initial-access method for INC and groups like it; a second authentication factor substantially raises the cost of that technique.
- Network segmentation between clinical and administrative systems. Lateral movement from an administrative workstation to an EHR or imaging server is a standard ransomware progression; segmentation slows or stops it.
- Tested, offline, or immutable backups. Payment pressure collapses when a practice can restore from a clean backup without negotiating with an attacker.
- Documented incident response procedures. Practices that have not rehearsed their response before an attack make slower decisions under pressure, which extends downtime and increases the probability of payment.
The INC group's durability is a reminder that the healthcare sector does not need to face novel threats to suffer significant harm. The basics, applied consistently, remain the most direct response.