The INC ransomware group has sustained its operations not through technical sophistication but through deliberate target selection and disciplined execution of well-understood attack techniques. Dark Reading's analysis of the group's activity finds that healthcare remains a preferred vertical precisely because downtime in clinical environments carries patient-safety consequences that create pressure to restore systems quickly — and pay to do it.
Why healthcare draws the group's attention
Ransomware operators evaluate targets partly on willingness to pay and speed of payment decision. Healthcare organizations score high on both measures. Patient care cannot pause indefinitely while IT teams attempt manual recovery, and regulators, insurers, and patients add layers of urgency that other industries do not face with the same intensity.
INC has reportedly moved against hospitals and health systems repeatedly, treating the sector as reliable revenue rather than an opportunistic side effect of broader campaigns. That targeting logic is worth understanding: it means healthcare organizations are not incidental victims of attacks aimed elsewhere. They are primary targets.
The basics INC relies on
The group's methods are not novel. According to the Dark Reading analysis, INC relies on techniques that have appeared in healthcare breach investigations for years:
- Phishing and credential theft. Initial access frequently comes through stolen or phished credentials, often for remote-access services that expanded during telehealth adoption and were never fully hardened afterward.
- Living-off-the-land execution. Once inside, attackers use tools already present on the network — remote management utilities, scripting environments, built-in administrative features — to move laterally without triggering signature-based detection.
- Double extortion. INC exfiltrates data before encrypting it, which means paying the ransom to restore systems does not eliminate the threat of patient data being published. Covered entities face HIPAA breach notification obligations regardless of whether they pay.
- Delayed detonation. The group reportedly spends time in victim environments before deploying encryption, increasing the probability that backups are also compromised by the time the attack becomes visible.
None of these techniques are new. That is the point. They work reliably against organizations that have not closed gaps that have been publicly documented for years.
What this means for independent practices
Large health systems draw the most press coverage after ransomware attacks, but independent practices and smaller ambulatory organizations carry the same fundamental exposures with less IT capacity to detect and respond. The INC group's preference for pressure-sensitive targets does not exclude smaller organizations — a single-specialty practice or rural clinic may be even more vulnerable to operational paralysis than a hospital with redundant systems.
The attack chain INC relies on maps directly to controls the HHS 405(d) Health Industry Cybersecurity Practices publication has addressed since its initial release. Multi-factor authentication on all remote-access points, network segmentation that limits lateral movement, offline or immutable backup copies tested for restoration, and staff training on phishing recognition are the categories of control that interrupt the methods INC and similar groups depend on.
What the next 12 months likely look like
There is no sign that INC or groups using comparable methods will shift away from healthcare. The economics favor continued focus on the sector. OCR's updated HIPAA Security Rule requirements, finalized in early 2025, increase the specificity of what covered entities and business associates must document and implement — but the gap between documentation and operational reality remains wide at many organizations.
Practices that have not completed a full security risk analysis since the rule's finalization, or that cannot demonstrate tested backup restoration procedures, face both regulatory exposure and meaningful operational risk if a group like INC identifies them as a viable target. The two problems are related: the risk analysis process is designed to surface exactly the gaps that basic ransomware attacks exploit.