Back to Intelligence

INC Ransomware Targets Healthcare — Encryption-Based Attack Detection and Defense

SA
Security Arsenal Team
June 17, 2026
8 min read

Introduction

The INC ransomware group has refined its attack strategy by targeting healthcare organizations where encryption-based disruption creates immediate operational pressure to pay. Unlike sophisticated exploit-chaining operations, INC has demonstrated that mastering the basics—targeting high-pressure sectors, ensuring reliable encryption, and maintaining steady extortion campaigns—remains devastatingly effective. For healthcare defenders, this represents an active threat to patient care continuity and requires immediate defensive posture adjustments.

Technical Analysis

Threat Actor: INC Ransomware (also identified as 0ptic in threat intelligence communities)

Targeted Sectors: Healthcare providers, hospital systems, and affiliated medical services

Attack Vector Profile:

  • Initial access via compromised credentials and phishing campaigns
  • Exploitation of remote access services (RDP, VPN)
  • Lateral movement through valid account abuse and SMB exploitation

Encryption Mechanism:

  • AES-256 based file encryption targeting critical healthcare data
  • Systematic encryption of EMR databases, imaging systems, and backup repositories
  • Double-extortion model: data exfiltration followed by encryption

Exploitation Status: Active campaign confirmed in healthcare environments across North America. INC is currently listed in multiple threat intelligence feeds as an active extortion group.

The group's effectiveness stems not from zero-day exploitation but from focusing on sectors where downtime directly impacts patient outcomes. This creates a ransom payment calculus heavily weighted in their favor.

Detection & Response

SIGMA Rules

YAML
---
title: Suspicious Mass File Encryption Pattern - INC Ransomware Indicator
id: 8a4f2c1d-7e3b-4a9f-9c5d-2e6f8a1b3c4d
status: experimental
description: Detects rapid file modification patterns consistent with ransomware encryption activity, targeting healthcare data directories.
references:
  - https://attack.mitre.org/techniques/T1486/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: file_change
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\\EMR\\'
      - '\\PACS\\'
      - '\\MedicalRecords\\'
      - '\\PatientData\\'
    Image|endswith:
      - '\.exe'
  condition: selection | count() > 50
timeframe: 2m
falsepositives:
  - Legitimate bulk data migrations
  - Database backup operations
level: high
---
title: INC Ransomware Suspicious PowerShell Execution Pattern
id: 3b7d1e9a-5c2f-4e8b-9a1d-6f4c2e8b3a7c
status: experimental
description: Detects PowerShell commands consistent with INC ransomware propagation and encryption commands observed in recent healthcare incidents.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\\powershell.exe'
      - '\\pwsh.exe'
    CommandLine|contains:
      - 'Invoke-AESEncryption'
      - '-encrypt'
      - 'ICACLS'
      - '/grant'
      - ':F'
      - '/T'
      - '/C'
  condition: selection
falsepositives:
  - Legitimate administrative scripting
  - Authorized encryption utilities
level: high
---
title: Ransomware Lateral Movement via SMB - Healthcare Network
id: 9c6e3f2a-1d8b-4c7e-a5f9-7d4e2c8b1a6f
status: experimental
description: Detects SMB-based lateral movement patterns consistent with INC ransomware propagation across healthcare network segments.
references:
  - https://attack.mitre.org/techniques/T1021/002/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.lateral_movement
  - attack.t1021.002
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort: 445
    Initiated: 'true'
    Image|endswith:
      - '\\cmd.exe'
      - '\\powershell.exe'
      - '\\wmiprvse.exe'
  filter:
    DestinationIp|contains:
      - '10.0.0.'
      - '192.168.'
  condition: selection and filter
falsepositives:
  - Legitimate administrative file access
  - Authorized SMB management tools
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for mass file encryption indicative of INC ransomware in healthcare environments
let encryptionThreshold = 50;
let timeWindow = 5m;
DeviceFileEvents
| where Timestamp > ago(timeWindow)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has "EMR" or FolderPath has "PACS" or FolderPath has "Patient" or FolderPath has "Medical"
| where InitiatingProcessFileName !in ~("sqlservr.exe", "osql.exe", "backup.exe", "vss.exe", "wbadmin.exe")
| summarize FileCount = count(), EncryptedFiles = make_set(FileName) by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, bin(Timestamp, timeWindow)
| where FileCount >= encryptionThreshold
| project DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, FileCount, Timestamp
| order by FileCount desc


// Detect potential INC ransomware command execution patterns
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine has_any ("encrypt", "AES", "ICACLS", "/grant", ":F", "/T", "/C", "/remove")
| where ProcessCommandLine has_any ("*.emr", "*.pacs", "*.dicom", "*.hl7", "patient", "medical")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


// Identify anomalous SMB connections suggesting lateral movement
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where RemotePort == 445
| where ActionType == "ConnectionAccepted" or ActionType == "ConnectionInitiated"
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wmiprvse.exe", "psexec.exe", "psexec64.exe")
| extend IsInternal = ipv4_is_in_range(RemoteIP, "10.0.0.0/8") or ipv4_is_in_range(RemoteIP, "172.16.0.0/12") or ipv4_is_in_range(RemoteIP, "192.168.0.0/16")
| where IsInternal == true
| summarize Count = count(), Connections = make_set(RemoteIP) by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, bin(Timestamp, 10m)
| where Count > 10
| project DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName, Count, Connections, Timestamp
| order by Count desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes exhibiting ransomware-like encryption behavior
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, 
       count(id) as HandleCount
FROM pslist()
GROUP BY Pid, Name, CommandLine, Exe, Username, CreateTime
HAVING HandleCount > 100
ORDER BY HandleCount DESC


-- Identify suspicious file modifications in healthcare-critical directories
SELECT FileName, FullPath, Size, ModTime, Mode,
       Mtime AS LastModified
FROM glob(globs="/*/*/{EMR,PACS,MedicalRecords,PatientData}/**/*")
WHERE ModTime > now() - 10m
ORDER BY ModTime DESC


-- Detect network connections indicative of lateral movement
SELECT Fd, RemoteAddress, RemotePort, State, PID, Cmdline, Username
FROM netstat()
WHERE RemotePort = 445
  AND State =~ 'ESTABLISHED'
  AND RemoteAddress !~ '127.0.0.1'
ORDER BY RemoteAddress

Remediation Script (PowerShell)

PowerShell
# INC Ransomware Healthcare Hardening Script
# Run as Administrator on critical healthcare workstations and servers

Write-Host "Starting INC Ransomware Healthcare Hardening..." -ForegroundColor Cyan

# 1. Enable PowerShell Script Block Logging
Write-Host "[+] Configuring PowerShell Script Block Logging..."
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
if (!(Test-Path $registryPath)) {
    New-Item -Path $registryPath -Force | Out-Null
}
Set-ItemProperty -Path $registryPath -Name "EnableScriptBlockLogging" -Value 1 -Force

# 2. Disable SMBv1 (known ransomware propagation vector)
Write-Host "[+] Disabling SMBv1 protocol..."
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

# 3. Configure PowerShell Constrained Language Mode
Write-Host "[+] Setting PowerShell Constrained Language Mode..."
$systemRoot = $env:SystemRoot
$system32Path = Join-Path $systemRoot "System32"
$wow64Path = Join-Path $systemRoot "SysWOW64"
$powershellConfigs = @(
    (Join-Path $system32Path "powershell.exe"),
    (Join-Path $system32Path "pwsh.exe"),
    (Join-Path $wow64Path "powershell.exe")
)

foreach ($config in $powershellConfigs) {
    if (Test-Path $config) {
        $appLockerPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppLocker"
        $psPolicyPath = Join-Path $appLockerPath "Script"
        if (!(Test-Path $psPolicyPath)) {
            New-Item -Path $psPolicyPath -Force | Out-Null
        }
        Set-ItemProperty -Path $psPolicyPath -Name "EnforcementMode" -Value 1 -Force
    }
}

# 4. Block RDP from internet-facing interfaces
Write-Host "[+] Auditing RDP exposure..."
$rdpStatus = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections"
if ($rdpStatus.fDenyTSConnections -eq 0) {
    Write-Host "WARNING: RDP is enabled. Please verify it is not exposed to internet." -ForegroundColor Yellow
    $firewallRule = Get-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -ErrorAction SilentlyContinue
    if ($firewallRule) {
        $remoteIp = $firewallRule | Get-NetFirewallAddressFilter
        Write-Host "Current RDP allowed IPs: $($remotePolicy.RemoteAddress)"
    }
}

# 5. Enable Microsoft Defender Antivirus Ransomware Protection
Write-Host "[+] Enabling Controlled Folder Access..."
Set-MpPreference -EnableControlledFolderAccess Enabled

# Add healthcare-critical folders to protected list
$protectedFolders = @(
    "$env:ProgramFiles\EMR",
    "$env:ProgramFiles\PACS",
    "C:\MedicalRecords",
    "C:\PatientData"
)

foreach ($folder in $protectedFolders) {
    if (Test-Path $folder) {
        Add-MpPreference -ControlledFolderAccessProtectedFolders $folder
        Write-Host "    Added protection for: $folder"
    }
}

# 6. Audit and restrict WMI access
Write-Host "[+] Configuring WMI security..."
$wmicPath = Join-Path $env:SystemRoot "System32\wbem"
if (Test-Path $wmicPath) {
    $wmicExe = Join-Path $wmicPath "wmic.exe"
    if (Test-Path $wmicExe) {
        $acl = Get-Acl $wmicExe
        $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
            "BUILTIN\Users",
            "ReadAndExecute",
            "ContainerInherit,ObjectInherit",
            "None",
            "Allow"
        )
        $acl.SetAccessRule($accessRule)
        Set-Acl $wmicExe $acl
    }
}

Write-Host ""
Write-Host "Healthcare hardening complete." -ForegroundColor Green
Write-Host "RECOMMENDATION: Review backup isolation and schedule reboot if services were modified." -ForegroundColor Yellow

Remediation

Immediate Actions (Priority 1)

  1. Verify Backup Integrity and Isolation

    • Confirm recent (within 24 hours) immutable backups of EMR, PACS, and patient data systems
    • Validate that backups are stored offline or in immutable cloud storage not accessible from the production network
    • Test restore procedures for critical patient care systems

  2. Network Segmentation Enforcement

    • Isolate medical device networks (IoMT) from general hospital IT infrastructure
    • Implement strict egress filtering: block outbound SMB (TCP 445), RDP (TCP 3389), and non-essential lateral movement protocols
    • Apply zero-trust principles to all remote access solutions—require MFA for all healthcare staff accessing clinical systems

  3. Credential Hygiene

    • Force password resets for all accounts with access to EMR/PACS systems
    • Revoke standing admin privileges; implement just-in-time access for system administration
    • Audit and disable dormant accounts across all healthcare applications

Hardening Measures (Priority 2)

  1. Application Control Implementation

    • Deploy allow-list application controls on servers hosting clinical applications
    • Block execution from user-writable directories (AppData, Temp, Downloads)
    • Sign all internal healthcare application scripts and require digital signature validation

  2. Monitoring Enhancement

    • Deploy dedicated sensors monitoring for abnormal file access patterns in clinical directories
    • Configure alerts for mass file renames, rapid file modifications in EMR databases
    • Implement UEBA (User and Entity Behavior Analytics) focused on privileged account activity

Long-term Resilience (Priority 3)

  1. Incident Response Preparation

    • Update ransomware playbooks specific to healthcare operational continuity
    • Establish relationships with legal counsel experienced in healthcare data breach notification requirements (HIPAA 45 CFR §164.308)
    • Conduct tabletop exercises simulating EMR encryption during peak operational hours

  2. Supply Chain Security

    • Assess third-party vendors with network access to clinical systems
    • Review and update Business Associate Agreements (BAAs) to include specific ransomware response SLAs
    • Require vendors to demonstrate security controls commensurate with HIPAA Security Rule requirements

Vendor Advisory References

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachinc-ransomwarehealthcareransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action