INC Ransomware Gang Targets the Legal Sector

KnowBe4 Team | Jul 3, 2026

The INC ransomware-as-a-service (RaaS) operation has grown into one of the premier ransomware offerings, claiming hundreds of victims in 2026 alone, according to researchers at Acronis. The attackers target a broad range of industries, but have recently prioritized entities in the legal sector.

“The top five targets for 2026 are legal services, manufacturing, technology, health care and construction,” the researchers write. “Previously, the education sector was the main target of INC ransomware. However, several things make law firms a valuable target for ransomware groups. The files they hold include settlement documents, cases, NDAs and many more similar documents. When leaked, it could trigger malpractice claims and lawsuits from clients on top of reputational damage, which adds even more pressure to pay the ransom.”

INC attackers gain initial access to victim organizations through spear phishing, valid account credentials obtained from initial access brokers, and exploitation of vulnerabilities in public-facing applications. Acronis recommends that organizations implement the following measures to establish a defense-in-depth strategy against ransomware attacks:

  • “Backups and recovery. Follow the 3-2-1 backup rule by keeping at least three copies of data on two different media types, with one copy stored off-site, and ensure backups are offline or immutable and regularly tested for reliable restoration.
  • Endpoint and ransomware protection. Deploy EDR and ransomware protection capable of detecting unauthorized encryption and exfiltration attempts and ensure all security tools are kept up to date with behavioral detections and anti-tamper protections enabled.
  • Identity and access controls. Require multifactor authentication (MFA) and enforce the use of strong, complex alphanumeric passwords that are updated regularly.
  • Network segmentation and hardening. Reduce attack surface by segmenting networks, disabling unnecessary services and ports and restricting outbound traffic.
  • Patch and vulnerability management. Implement a robust patch and vulnerability management program across all systems, prioritizing fixes for vulnerabilities known to be exploited by ransomware.
  • User awareness training. Regularly educate staff on phishing, social engineering and other tactics used by ransomware operators. Include conducting regular phishing simulations to reinforce awareness.”

AI-native security awareness training can give your organization an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 Platform to strengthen their security culture and reduce workforce risk.

Acronis has the story: https://www.acronis.com/en/tru/posts/from-emerging-threat-to-top-tier-ransomware-as-a-service-the-evolution-of-inc-ransomware/

Secure Your Human and AI Workforce

Transform your attack surface into your strongest defense with our AI-driven platform. Request a personalized demo to see how to mitigate social engineering, manage agent risk, and automate your phishing response.

Get a Demo

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.