ShinyHunters hackers defaced the official Canvas LMS portal after breaching Instructure systems, disrupting university access worldwide.

ASEC Blog publishes Ransom & Dark Web Issues Week 1, May 2026         Guatemalan Government Agency Data Sold on DarkForums BlackWater Ransomware Attack Targets Chinese Auto Parts Manufacturer Japanese Fintech Firm Suffers Unauthorized GitHub Access

ASEC Blog publishes Ransom & Dark Web Issues Week 5, April 2026           Emergence of a new ransomware group, M3RX Data from a South Korean religious organization sold on DarkForums ShinyHunters claims a data leak from a US interactive media company

ASEC Blog publishes Ransom & Dark Web Issues Week 3, April 2026           Emergence of New Ransomware Groups: TiMC, BlackWater, and Lamashtu [1], [2], [3] NoName05716 Claims DDoS Attacks on South Korean Public & Private Sectors [1], [2], [3] VECT & TeamPCP Campaign: Supply Chain Attack Exploiting Global Travel Platform

Purpose and Scope. this report summarizes the number of ransomware samples, number of affected systems, DLS-based statistics, and major Korean & Global ransomware issues identified during the month of March 2026. Key statistics. ransomware sample counts and victimized systems statistics were aggregated by detection name assigned by AhnLab. statistics on targeted businesses were calculated based […]

ASEC Blog publishes Ransom & Dark Web Issues Week 2, April 2026           Emergence of New Ransomware Group ‘KryBit’ Gunra, Ransomware Attack Targeting South Korean Pharmaceutical Company DragonForce, Ransomware Attack Targeting Egyptian Generic Drug Developer and Manufacturer

ASEC Blog publishes Ransom & Dark Web Issues Week 1, April 2026           Ransomware group NetRunner attack against the Indian subsidiary of a South Korean auto parts manufacturer Ransomware group Everest attack against a major Japanese automaker ShinyHunters claims of source code and internal data leak from a U.S. network infrastructure […]

ASEC Blog publishes Ransom & Dark Web Issues Week 4, March 2026           Japanese Automaker Suffers Personal Data Breach via Unauthorized External Access INC Ransom Targets South Korean Steel Manufacturer in Ransomware Attack LeakBase Forum Administrator Arrested in Russia

ASEC Blog publishes Ransom & Dark Web Issues Week 3, March 2026           New Threat Actor CipherForce Claims Cyberattack on South Korean Job Portal New Threat Actor Loki Emerges, Leaks US Citizens’ Personal Data Cybercrime Forum LeakBase Shut Down Again by Russian Authorities

ASEC Blog publishes Ransom & Dark Web Issues Week 2, March 2026         Qilin ransomware attack targeting a well-known dermatology clinic in South Korea and the Korean branch of a global advertising company [1], [2] KillSec and Everest ransomware attacks targeting a South Korean exhibition management platform and an elevator manufacturer [1], […]

When Australia's cyber watchdog issued a fresh advisory on INC Ransom, security teams worldwide are bound to take note — not because INC is new, but because the group's business model has quietly made it one of 2025's most relentless forces targeting the very networks societies depend on to survive.

Australia's Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), published the advisory warning that INC Ransom's affiliate model now enables a broad range of threat actors to target critical infrastructure — from healthcare systems to government networks — with minimal technical skill of their own.

INC Ransom operates as a Ransomware-as-a-Service (RaaS) group. It is a criminal franchise model where core developers build and maintain the ransomware platform, then lease it to "affiliates" who carry out the actual attacks in exchange for a cut of the ransom. Think of it as a dark-web franchise. The brand, tools, and infrastructure belong to INC; the break-ins happen through hired hands.

As of mid-2025, more than 200 victims appeared on INC's data leak site, and in July 2025, INC ranked as the most deployed ransomware based on victim postings. That scale does not happen by accident. It reflects a deliberate expansion through affiliates who carry existing access and expertise from other groups.

Also read: Cyberattack on ControlNET: INC Ransom Group Claims Breach of Building Technology Provider

Prime Focus on Healthcare

Healthcare organizations bore the brunt of INC's activity between January and August 2025, with education, technology, and government entities also ranking among the top victim sectors.

"Since January 2025, the ACSC has observed INC Ransom affiliates target Australian Health Care sector entities using compromised accounts. Upon initial access, affiliates have conducted privilege escalation by creating admin level accounts and moving laterally within victim networks," the advisory said. In June, the Tongan Ministry of Health (MoH) ICT environment was attacked by a ransomware that impacted core services and disrupted the national health care network. ACSC said, this was also the work of INC ransomware group as was an attack on a healthcare sector entity further down south in New Zealand. "Many of the organisation’s servers and endpoint devices had been encrypted, and a large amount of data was stolen. INC Ransom claimed responsibility for this incident, and published the dataset on its DLS (data leak site)," ACSC confirmed.

Exploits Known Vulnerabilities

INC affiliates do not reinvent the wheel. They exploit known, unpatched vulnerabilities in widely deployed enterprise software. Documented entry points include CVE-2023-3519 in Citrix NetScaler — a remote code execution flaw patched in July 2023 — CVE-2023-48788, a SQL injection vulnerability in Fortinet Endpoint Management Server, and CVE-2024-57727, a SimpleHelp RMM path traversal flaw added to CISA's Known Exploited Vulnerabilities catalog in February 2025.

INC Ransom also used CitrixBleed (CVE-2023-4966), a vulnerability in Citrix NetScaler ADC and Gateway appliances that lets threat actors bypass multifactor authentication and hijack legitimate user sessions. In practical terms, an attacker does not need stolen credentials. They can walk through the front door using a session that already has authorization.

Once inside, INC affiliates follow a disciplined playbook. They archive data with 7-Zip before exfiltrating it via MegaSync, use AES encryption, and drop ransom notes printed directly to network printers. The group then applies double extortion — encrypting systems while threatening to publish stolen data publicly unless the victim pays.

In one high-profile case, INC Ransom claimed a breach of the Pennsylvania Office of the Attorney General in August 2025, stating it removed more than 5 terabytes of data and hinted at access to federal networks. The office refused to pay.

Also read: Ahold Delhaize USA Confirms Data Stolen in 2024 Cyberattack

The group's reach does not stop at U.S. borders. INC Ransom targeted Alder Hey Children's NHS Foundation Trust in the U.K., claiming to have obtained large-scale patient records, donor reports, and procurement data. This pattern of targeting public-sector healthcare — institutions with constrained security budgets and life-critical dependencies — reflects a calculated predatory strategy.

Microsoft Threat Intelligence tracks significant INC affiliate activity through a group it calls Vanilla Tempest, which adopted INC Ransom as its primary payload in August 2024 after previously using BlackCat, Quantum Locker, Zeppelin, and Rhysida. The fluidity between groups showcases a core feature of the RaaS model where affiliates shop for the most effective tools and swap them out when law enforcement pressure mounts.

Australia now mandates that organizations with annual turnover above $3 million, as well as critical infrastructure operators, report ransomware or extortion payments within 72 hours — a regulatory shift designed to erode the financial incentives that sustain groups like INC.

The ACSC advisory recommends network defenders prioritize patching of internet-facing systems, implement phishing-resistant multifactor authentication, segment networks to limit lateral movement, and monitor for unusual use of legitimate administrative tools such as PowerShell and Remote Desktop Protocol (RDP).

Given that INC ransomware elements have also been linked to the development of Lynx ransomware — a derivative group — the threat footprint extends well beyond INC's own branding. Defenders who neutralize INC today may face the same code under a different name tomorrow.

ASEC Blog publishes Ransom & Dark Web Issues Week 1, March 2026         Morpheus Launches Ransomware Attack on South Korean Plating Company Ailock Resumes Activity and Republishes Previous Ransomware Victims Pro-Iranian and Pro-Islamist Hacktivist Groups Launch Cyber Attacks on Middle Eastern and Pro-Western Targets [1], [2]

ASEC Blog publishes Ransom & Dark Web Issues Week 4, Fabruary 2026           Source code of a South Korean accounting automation solution provider sold on BreachForums Beast ransomware attack targeting a South Korean pharmaceutical company and battery safety component manufacturer [1], [2] Atomsilo resumes activity and discloses new victim

ASEC Blog publishes Ransom & Dark Web Issues Week 3, Fabruary 2026           Anubis and The Gentlemen launch ransomware attacks targeting a South Korean plastics manufacturer and an IT consulting company [1], [2] Emergence of the new ransomware group Payload ShinyHunters claims data breach involving a well-known Canadian apparel manufacturer

This report provides the number of affected systems confirmed during January 2026, DLS-based ransomware-related statistics, and notable ransomware issues in Korea and abroad. Below is a summary of some information.   The statistics on the number of ransomware samples and affected systems were based on the diagnostic names assigned by AhnLab, and the statistics on ransomware-affected […]

ASEC Blog publishes Ransom & Dark Web Issues Week 2, February 2026           Beast, Ransomware Attack Targeting a South Korean Aerospace Component Manufacturer RipperSec, Claims of DDoS Attacks Targeting South Korean Exhibition Centers, Military Training Grounds, Associations, and Defense-related Companies [1], [2], [3], [4] NoName05716, Claims of DDoS Attacks Targeting the […]

ASEC Blog publishes Ransom & Dark Web Issues Week 1, Fabruary 2026         Qilin Targets South Korean Public Broadcaster with Ransomware Confidential Military Data from U.S. Aerospace Composites Manufacturer Sold on BreachForums ShinyHunters Leaks Data from Two Prestigious U.S. Private Universities

ASEC Blog publishes Ransom & Dark Web Issues Week 4, January 2026           New Ransomware Group 0APT and BravoX Identified [1], [2] RAMP Cybercrime Forum Domains Seized by FBI and DOJ World Leaks Targets U.S. Global Sportswear Company in Ransomware Attack

ASEC Blog publishes Ransom & Dark Web Issues Week 3, January 2026           Qilin Ransomware Targets Korean Specialist in Semiconductor/Display Components & Surface Treatment U.S. DOJ: Access Broker “r1z” Pleads Guilty Qilin Ransomware Targets Vietnam’s National Airlines

This report comprehensively covers real-world cyber threats and security issues that have occurred in the financial industry in Korea and worldwide. It includes an analysis of malware and phishing cases targeting the financial industry, a list of the top 10 malware strains targeting the industry, and statistics on the sectors of Korean accounts leaked on […]