TL;DR for defenders. INC Ransom affiliates get in through three doors:
phishing, an unpatched internet-facing device, or valid credentials bought from a broker and reused over
RDP. Once inside they live off the land - disabling the built-in AV, moving with net.exe and a
rogue remote-access tool, and exfiltrating with commodity utilities like rclone and MEGAsync before they
encrypt. Four Essential Eight controls do most of the work against this: MFA on every
external login, prompt patching of internet-facing services, application
control plus EDR to catch the tooling, and tested backups so encryption is a bad
day rather than a closed business. None of it is expensive. All of it is in the
guide.
Why this one is worth your attention in Australia
This is not a hypothetical. The Australian Signals Directorate's ACSC, together with CERT NZ and partners across the Pacific, has published a joint advisory on INC Ransom's affiliate network specifically because it is operating against organisations in Australia, New Zealand and the Pacific island states. That advisory draws on INC Ransom incidents reported to the ACSC, so the behaviour described here is not imported threat-intel from another hemisphere - it is what is landing locally.
The pattern that matters for small and mid-sized businesses is the victimology. INC Ransom is indiscriminate by sector: healthcare, government, education and manufacturing all feature heavily in its public claims. What ties Australian victims together is rarely an industry - it is size and posture. These are organisations with a real internet footprint (a remote-access portal, a VPN appliance, an edge firewall) but without a 24/7 security team watching it. That is the gap the affiliate model is built to exploit, and it is precisely the gap the Essential Eight was written to close.
A note on sourcing and scope. Everything below is drawn from public reporting - the ACSC/CERT NZ advisory, and incident write-ups from GuidePoint, Huntress, Secureworks and others. We do not reference or reconstruct any individual Australian victim's breach, and we draw nothing from ransomware leak sites. The trackers tell us a crew is active here; the defensive detail comes from vendors who responded to these intrusions. This is a defensive profile: it explains the playbook only to the depth a defender needs to break it.
Who INC Ransom is
INC Ransom (also written "INC Ransomware") surfaced in mid-2023 and runs as a ransomware-as-a-service operation: a core team builds and maintains the encryptor and the leak infrastructure, and affiliates do the actual breaking-in, in exchange for a cut. That structure matters for defenders, because it means there is no single "INC playbook" - there is a menu of techniques that different affiliates mix and match. Two intrusions claimed by the same brand can look quite different on the way in.
Like most modern crews, INC runs double extortion: they steal data first, then encrypt, then threaten to publish on a leak site if the ransom goes unpaid. The exfiltration is not an afterthought - for many victims it is the more damaging half, because backups solve encryption but do nothing about stolen records already in someone else's hands. Keep that in mind when we get to the controls: stopping the intrusion early matters more than being able to restore.
The playbook, stage by stage
The sequence below is the common shape across publicly documented INC intrusions. For each stage, the control that breaks it is named inline and linked into the relevant part of the guide.
1. Initial access - phishing, an unpatched edge device, or bought credentials
Affiliates favour three entry routes, and they are boringly consistent across reporting. The first is spear-phishing. The second is exploiting a known vulnerability in an internet-facing device - INC affiliates have been documented abusing flaws in edge appliances such as Citrix NetScaler (CVE-2023-3519) and Fortinet's endpoint management server (CVE-2023-48788). The third, and increasingly the default, is simply logging in: buying valid credentials from an initial-access broker and reusing them against an exposed service like RDP or a VPN.
Two Essential Eight controls dominate this stage. Multi-factor authentication on every external login turns a stolen or guessed password from a front-door key into a dead end - it is the single highest-leverage control against the "just log in" route, which is the one growing fastest. Patching internet-facing applications promptly closes the edge-device route; the CVEs above are old, which is exactly the point - affiliates exploit them because unpatched appliances are still out there. If you only fix two things after reading this, fix these two.
2. Defence evasion - turning off the alarm
Once inside, affiliates move quickly to blind the host. Public incident reports describe them using a
native Windows utility (SystemSettingsAdminFlows.exe) and registry changes to
disable Microsoft Defender, and deploying small purpose-built tools to kill third-party
endpoint protection - in one documented case, a binary written specifically to terminate a CylancePROTECT
service. The theme is "use what's already there, and switch off what's watching."
This is where application control earns its keep: if unapproved executables cannot run, the AV-killer never launches. It is also where EDR and the right alerts matter - a Defender service being disabled (Event ID 5007) or tamper-protection events should be a high-signal alarm, not a line item nobody reads. Tamper protection on your endpoint product, switched on and enforced, raises the cost of this whole stage.
3. Discovery and lateral movement - living off the land
INC affiliates lean heavily on tools that are already trusted on the network: net.exe for
account and share enumeration and for changing passwords, built-in command shells for execution, and
everyday binaries like Notepad and WordPad for reading files during reconnaissance. To move and persist,
they frequently install a legitimate remote-access tool they control - ScreenConnect
instances have been observed - so their traffic blends in with normal IT remote support.
The defensive answer is layered. Tiering administrative access so that a compromised workstation account cannot pivot to domain-wide control limits how far this stage travels. Application control again blocks unsanctioned remote-access software from installing. And baseline visibility turns "a new ScreenConnect appeared on a finance PC at 2am" into something you actually see.
4. Exfiltration - commodity tools, cloud destinations
Before encrypting, affiliates stage and steal data using off-the-shelf utilities: rclone with an include-list of interesting file types, MEGAsync and other cloud-sync clients, 7-Zip to compress, and in some incidents the open-source backup tool Restic repurposed for exfiltration. None of these are malware in the signature sense, which is the point - they are normal admin tools used for an abnormal purpose.
This stage is hard to stop with prevention alone, which is why it is a detection-and-response problem. Large outbound transfers to consumer cloud-storage domains, rclone or MEGAsync executing on a server that has no business running them, and 7-Zip spawning across dozens of hosts are all detectable patterns if you are collecting endpoint and network telemetry. Application control helps here too: if rclone is not on the approved list, it does not run.
5. Impact - encryption and the leak threat
The finale drops an encryptor and an INC-README.txt ransom note, with the leak-site threat as
leverage. By this point the data is already gone, so encryption is the part you can most directly survive -
if you prepared. Regular backups that you have actually tested
restoring, kept offline or otherwise out of reach of the account that gets compromised, are what turn a
ransom demand into a restore job. Backups you have never test-restored are a guess, not a control.
The chain, mapped to the Essential Eight
Read top to bottom, the intrusion is a series of links, and the Essential Eight breaks most of them more than once. That redundancy is the strategy: you are not betting everything on one control catching one step.
| Stage | What the affiliate does | Essential Eight control that breaks it |
|---|---|---|
| Initial access | Phishing, exploit an unpatched edge device, or reuse bought credentials over RDP/VPN | MFA; patch applications; patch operating systems; user application hardening |
| Defence evasion | Disable Defender / kill third-party AV with small tools | Application control; restrict admin privileges (+ EDR & tamper protection) |
| Discovery & lateral movement | net.exe, LOLBins, rogue ScreenConnect | Restrict admin privileges; application control; MFA on internal admin |
| Exfiltration | rclone, MEGAsync, Restic, 7-Zip to consumer cloud | Application control (+ egress monitoring & detection) |
| Impact | Encrypt and threaten to leak | Regular, tested, offline backups |
Notice that application control and restrict administrative privileges each show up at multiple stages. Those two are the harder Essential Eight controls to roll out, but the table is the argument for why they are worth the effort: they are not single-purpose, they tax the whole middle of the intrusion. The full method - what to do first, and how to mature each control - is laid out across the four stages of the guide.
If you only do three things
For an Australian SMB that wants the most risk reduction per dollar against this specific crew, in order:
- MFA on every internet-facing login - email, VPN, RDP gateway, remote-access portals. This kills the fastest-growing initial-access route outright and is the cheapest control on the list. Start at Stage 1, step 2 and harden it in Stage 2.
- Patch your internet-facing devices on a real clock. The edge appliance with a known CVE is how affiliates walk in without a password at all. Inventory what you expose, then keep it current - Stage 1, steps 1 and 3.
- Test a backup restore this quarter. Not "do we have backups" - actually restore one and time it. This is the control that decides whether the encryption stage ends your week or your business - Stage 1, step 4.
Honest limitations
The Essential Eight is a strong baseline, not a force field. It does little to recover data already exfiltrated, so against a double-extortion crew the controls that prevent the intrusion matter more than the one that recovers from encryption - getting hit but restoring cleanly still means your data may be published. An affiliate who phishes an MFA-fatigued user into approving a push, or who walks in on credentials and stays "low and slow," can still get a foothold; that is why detection and a written incident-response plan sit alongside the preventive controls rather than after them. And because the affiliate model means tradecraft varies, treat the stages here as the common shape, not a guarantee of what any one intrusion will look like. The point of mapping to the Essential Eight is not that any single control is sufficient - it is that the layers overlap, so a step that slips past one is caught by the next.
If you want help working out which of these controls you actually have versus which you only think you have, that gap assessment is exactly what the vCISO engagement is for - but the guide is free and stands on its own, so start there.
References
- ASD's ACSC / CERT NZ - INC Ransom Affiliate Model Enabling Targeting of Critical Networks
- ASD's ACSC - INC Ransom and Affiliate Network operating in Australia, New Zealand and the Pacific island states
- Huntress - From LOLBin to INC Ransomware
- GuidePoint Security - Update from the Ransomware Trenches
- Secureworks - GOLD IONIC Deploys INC Ransomware
- SentinelOne - INC Ransom: Analysis, Detection, and Mitigation
- MITRE ATT&CK - T1486: Data Encrypted for Impact
Scope note. This is a defensive writeup built entirely from public reporting. It profiles a threat actor only to the depth a defender needs to detect and break the intrusion, names no individual victim, and uses no data sourced from extortion or leak sites. It contains no malware, exploit code, or operational tradecraft. UMBRASEC publishes defense, not offense.