Incident response · INC Ransom ransomware
INC Ransom is targeting Australia, and healthcare is squarely in its sights.
INC Ransom drew a rare step in March 2026: a joint advisory from the ACSC, New Zealand's NCSC and CERT Tonga, after its affiliates compromised at least 11 Australian organisations, with healthcare and professional services hit hardest. If your files now end in .inc and an INC-README note is on your screens, here is what you are dealing with and what to do.
Recognise it
How to confirm it is INC Ransom.
Before anything else, keep the encrypted files and every ransom note exactly where they are. They identify the strain, and they are often the raw material a recovery works from.
- File extension
- .inc appended to encrypted files (a successor variant uses .LYNX)
- Ransom note
- INC-README.TXT and INC-README.HTML, written across affected folders
- First seen
- Mid-2023; over 800 claimed victims since, with Australia among its most-targeted countries
- Australian footprint
- At least 11 Australian organisations compromised between July 2024 and December 2025, primarily healthcare and professional services; subject of the March 2026 ACSC joint advisory
Behaviour
What INC Ransom does to your systems.
Gets in through people and patching
Spear-phishing, purchased credentials and unpatched internet-facing systems are the common entry points. Compromised accounts have been the pattern against Australian healthcare.
Quiet tooling
Affiliates use legitimate tools like 7-Zip and rclone to stage and exfiltrate data, blending into normal network activity before the encryption starts.
AES-256 encryption
Files are encrypted with AES-256 in CBC mode. Breaking the encryption is not a recovery path; what matters is what the process left behind.
Double extortion with pressure tactics
Data is stolen before encryption and used as leverage, including threats to publish sensitive records. Against health providers that pressure is deliberate and personal.
Backups in scope
Reachable backups and shadow copies are attacked before the finale, which is why the surviving copies need to go offline immediately.
Ransomware-as-a-service
Affiliate operators vary in skill and thoroughness. That variance shows up in what is recoverable, which is why every incident deserves its own assessment.
The honest answer
Can INC Ransom-encrypted files be recovered?
It depends on the affiliate and the environment, and the encrypted files themselves hold the answer. Like most modern ransomware-as-a-service strains, INC builds prioritise speed across large estates, and speed leaves artefacts: partially processed files, missed shares, intact database structures beneath damaged containers. On large structured files there is often more left than the note suggests.
For a healthcare practice there is a second dimension: establishing exactly what patient data was accessed drives your Privacy Act and My Health Records obligations, and that answer comes from the same preserved evidence a recovery works from. Wiping machines destroys both at once.
Keep the encrypted files, the INC-README notes and the affected machines exactly as they are, and get an assessment before anything is rebuilt. We will tell you within hours what looks recoverable and help you work the notification questions in parallel.
Common questions
INC Ransom, in plain terms.
Mid-incident and need a straight answer? Call 1300 004 766. A person answers, 24 hours a day.
What is the .inc file extension?
Files renamed with .inc have been encrypted by INC Ransom, a ransomware-as-a-service operation active since mid-2023 and the subject of a joint ACSC advisory in March 2026 after sustained targeting of Australian organisations. Notes named INC-README.TXT and INC-README.HTML accompany the encryption. A successor variant uses the .LYNX extension.
Is there a free decryptor for INC Ransom?
No public decryptor exists for current INC variants. The realistic recovery paths are verified offline backups, surviving snapshots, partial-encryption recovery of what the process left intact, and rebuilding from source systems. Payment sits below all of those, and it funds the next campaign.
We are a medical practice. Does INC change our obligations?
The obligations exist regardless of strain, but INC's habit of stealing patient records makes them immediate. Health providers carry Privacy Act duties whatever their size, the Notifiable Data Breaches scheme requires prompt assessment where serious harm is likely, and My Health Record connections carry their own stricter notification rules. Establishing what was actually accessed, from preserved evidence, is what those judgements rest on.
The note says our data will be published. What do we do?
Do not negotiate alone and do not rush a payment to make it stop. Publication threats are INC's core pressure tactic and the claims are not always accurate. Preserve the evidence, establish what was genuinely taken, get advice on your notification duties, and remember that in Australia any ransom payment by a business over $3 million turnover must itself be reported within 72 hours.
What should we do in the first hour?
Isolate affected machines but leave them on, keep every encrypted file and note, take surviving backups offline, and start a timeline. Do not rebuild systems or run cleanup tools over the evidence. Call 1300 004 766, answered 24 hours a day, and download our one-page First-Response Guide for the rest of the team.
Right now
The first hours decide what can be saved.
Isolate the machines, keep the encrypted files, take backups offline, and call before anything gets rebuilt. Australian incident response, answered by a real person.