INC Ransom Is Running a Criminal Franchise Against Pacific Healthcare

Three national cyber agencies just issued a joint warning about a ransomware group systematically dismantling healthcare in the Pacific. The threat has a name, a face, and a business model that makes it unusually hard to stop.

On March 6, 2026, the Australian Cyber Security Centre (ACSC), New Zealand's National Cyber Security Centre (NCSC), and the Kingdom of Tonga's National Computer Emergency Response Team (CERT Tonga) published a coordinated advisory warning that INC Ransom — a ransomware-as-a-service (RaaS) operation — has been conducting a sustained, targeted campaign against healthcare organizations across Oceania and the broader Pacific island region. The warning is unusual not only for its three-nation scope, but because it publicly named and published the photograph of a specific operator linked to one of the attacks. That alone signals how seriously regional authorities are treating this threat.

The Advisory and Why It Matters

Joint cyber advisories across national borders are not common, and tri-nation advisories involving a Pacific island state are rarer still. That the ACSC, NCSC, and CERT Tonga aligned on a single document targeting one ransomware group reflects the severity of what has been documented across Australia, New Zealand, and Tonga over the past eighteen months.

Australia's own statistics tell a focused story. The ACSC responded to eleven INC ransomware incidents between July 2024 and December 2025 — nearly one every six weeks — with the overwhelming majority affecting organizations in healthcare or professional services. This is not opportunistic background noise. It is a pattern of deliberate industry targeting.

"INC is not employing new or cutting-edge tactics to compromise this industry, instead they are using what I refer to as legacy tactics to compromise organizations. These threat actors are walking right into the environments with valid credentials." — Christopher Hills, Chief Security Strategist, BeyondTrust

That observation from Hills underscores a key and uncomfortable truth: INC Ransom is not winning because it has superior technology. It is winning because target organizations have not closed foundational security gaps — gaps that have existed for years and remain exploitable through purchased credentials, unpatched systems, and weak access controls.

How the INC Ransom Franchise Operates

INC Ransom operates as a true Ransomware-as-a-Service platform. The core developers build and maintain the ransomware code and the supporting infrastructure — including the dark web data leak site where stolen data is published when victims refuse to pay. Affiliates, essentially independent criminal contractors, lease access to the platform and carry out the actual intrusions in exchange for a percentage of any ransom collected. This franchise structure explains both the group's scale and the variability in how attacks unfold from victim to victim.

The advisory documents three primary methods INC affiliates use to gain initial access. The first and most common is purchasing compromised credentials from initial access brokers — underground vendors who maintain inventories of stolen account details from prior breaches and sell them on dark web marketplaces. The second is spear-phishing, where targeted emails trick employees into revealing credentials or executing malicious payloads. The third is direct exploitation of known, unpatched vulnerabilities in internet-facing systems.

Documented entry points include CVE-2023-3519, a remote code execution flaw in Citrix NetScaler that was patched in July 2023 but remained unpatched across many healthcare networks long afterward. Affiliates have also exploited CVE-2023-48788, a SQL injection flaw in Fortinet's Endpoint Management Server, and CVE-2024-57727, a path traversal vulnerability in SimpleHelp RMM software that was added to CISA's Known Exploited Vulnerabilities catalog in February 2025. CitrixBleed (CVE-2023-4966), which allows threat actors to bypass multifactor authentication entirely on Citrix NetScaler ADC and Gateway appliances, has also been used.

Once inside a network, affiliates follow a consistent pattern. They create new administrator-level accounts to secure persistent access, then move laterally across the environment. The advisory specifically notes that affiliates use legitimate, trusted tools — including 7-Zip for compression and rclone for cloud data transfers — to package and exfiltrate stolen information. Using software already common in enterprise environments allows attackers to blend into normal network traffic, complicating detection for security monitoring tools looking for unusual executables.

The group is tracked under several aliases depending on which threat intelligence vendor is reporting on them. Microsoft Threat Intelligence tracks significant affiliate activity through an actor it calls Vanilla Tempest, which adopted INC Ransom as its primary payload in August 2024 after cycling through BlackCat, Quantum Locker, Zeppelin, and Rhysida. Cyble tracks the broader group as Tarnished Scorpion, while Secureworks uses the designation GOLD IONIC. The proliferation of tracking names reflects how many research teams are monitoring INC Ransom's expanding footprint.

Country by Country: The Pacific Damage

The advisory provides country-specific details that make the scope of INC Ransom's Pacific campaign concrete rather than abstract.

Australia

The ACSC documented eleven INC ransomware incidents between July 1, 2024 and December 31, 2025. Healthcare organizations and professional services firms were the primary victims. In each confirmed case, affiliates escalated privileges to the administrator level following initial access, created new privileged accounts to maintain persistence, moved laterally across victim networks, and deployed ransomware only after completing their data theft. The ACSC advisory specifically notes that affiliates obtained initial access largely through credentials purchased from initial access brokers — meaning the attack frequently started not with a technical exploit, but with a credential purchase that could have been blocked by enforcing multifactor authentication and monitoring for anomalous logins.

"Since January 2025, the ACSC has observed INC Ransom affiliates target Australian Health Care sector entities using compromised accounts. Upon initial access, affiliates have conducted privilege escalation by creating admin level accounts and moving laterally within victim networks." — Australian Cyber Security Centre advisory, March 2026

Australia saw a 60 percent year-over-year increase in confirmed ransomware attacks against healthcare organizations in 2025, placing it second only to the United States in absolute attack volume according to Comparitech's 2025 healthcare ransomware data. That context gives the ACSC's eleven INC-specific incidents additional weight — INC Ransom accounts for a disproportionate share of Australia's healthcare ransomware caseload.

New Zealand

In May 2025, a New Zealand health sector organization notified the NCSC that a large portion of its servers and endpoint devices had been encrypted and that significant volumes of data had been removed from its environment. The NCSC investigation attributed the attack to INC Ransom. When the victim organization declined to pay the ransom demand, the attackers followed through on their extortion threat and published the stolen dataset on INC Ransom's dark web data leak site. The NCSC has reported that ransomware and data extortion continue to affect organizations across all sectors of New Zealand's economy, with INC Ransom now a named contributor to that pressure.

Tonga

The Tonga attack is the most significant and the most documented of the three country-level incidents. On June 15, 2025, the ICT environment of the Tongan Ministry of Health was struck by ransomware that rendered core systems inaccessible and disrupted the national healthcare network. Investigators from CERT Tonga found a ransom note attributable to INC Ransom embedded within the Ministry's file system. On June 26, 2025, INC Ransom claimed formal responsibility for the attack via its dark web data leak site. The attack did not affect a single clinic or a regional health office — it disrupted Tonga's national health services infrastructure.

"Smaller nations often rely on centralized, resource-constrained infrastructure, which can make them proportionally more vulnerable. They may not see the volume of attacks larger economies face, but even a single successful intrusion can have outsized impact, and incident response capacity may be more limited." — Shane Barney, CISO, Keeper Security

Barney's point about proportional vulnerability captures exactly what made Tonga an attractive target. INC Ransom affiliates are not scaling their ambitions to the size of their targets — they are scaling to the opportunity. A centralized healthcare network with limited security staffing is a valuable target regardless of the nation's population.

A Named Operator and a Historic First

The joint advisory does something rare in public cyber threat intelligence: it names a specific individual. Roman Khubov, known online as "blackod," has been publicly identified by ACSC, NCSC, and CERT Tonga as the cybercriminal who controlled the malicious infrastructure used to exfiltrate data during the Tonga Ministry of Health breach. The advisory includes a photograph of Khubov.

Public attribution of this kind serves several functions. It creates legal and reputational pressure on the named individual. It signals to the broader cybercriminal ecosystem that Pacific-region attacks are not consequence-free. And it establishes a record that can support formal law enforcement action, extradition requests, or asset seizures if and when jurisdictional cooperation allows.

Equally notable is the diplomatic dimension. Australian officials confirmed that the March 6 advisory marks the first time Australia has co-issued a formal technical cyber advisory with a Pacific island partner. That milestone reflects the activation of the Cyber Rapid Assistance for Pacific Incidents and Disasters (RAPID) program, under which Australian cyber specialists worked alongside Tongan authorities following the June 2025 attack to contain the intrusion, restore affected systems, and resume healthcare services. The RAPID program's involvement in a live incident response — and its subsequent role in producing a joint advisory — represents a meaningful step in regional cyber cooperation that extends beyond Australia's traditional Five Eyes relationships.

Why Healthcare Cannot Pay Its Way Out

INC Ransom's deliberate focus on healthcare is not accidental, and it is not unique to this group. According to Sophos' State of Ransomware in Healthcare report, 88 distinct ransomware groups targeted healthcare organizations in 2025. INC Ransom — tracked by Sophos as GOLD IONIC — ranked among the top three by victim count across that period. Comparitech's 2025 healthcare ransomware data shows INC with 45 reported claims against healthcare providers and 19 confirmed attacks — placing it second only to Qilin in confirmed healthcare incidents for the year.

Healthcare organizations attract this attention for reasons that are structural and difficult to change quickly. Patient care requires continuous system availability. Electronic health records, diagnostic systems, lab results, and medication dispensing all depend on network infrastructure. When that infrastructure fails, the consequences extend beyond data loss into immediate patient safety risk — surgeries delayed, ambulances diverted, prescriptions inaccessible. Ransomware actors understand this dependency and price their demands accordingly, calculating that the cost of downtime makes payment appear rational even when security guidance uniformly advises against it.

Yet the data suggests that payment is becoming a less common response. Sophos found that only 36 percent of healthcare providers paid a ransom in 2025, down from 61 percent in 2022. Average ransom demands in the healthcare sector dropped to approximately $343,000 from $4 million the prior year, and actual payments fell to around $150,000 — the lowest recorded across all sectors in the Sophos survey. The declining payment rate reflects both growing resistance and a recognition that paying does not guarantee data deletion, system restoration, or protection from future attacks by the same group.

The INC Ransom double extortion model makes the calculus more complicated. An organization that successfully restores from backup still faces the extortion threat: pay or the stolen patient records, donor data, and operational information get published. That threat has real regulatory teeth in Australia, where mandatory breach notification obligations under the Privacy Act apply to health information, and in New Zealand under the Privacy Act 2020. A published dataset is not just a reputational problem — it is a potential regulatory enforcement event.

The advisory from ACSC, NCSC, and CERT Tonga does not recommend payment. It recommends the foundational security controls that would have prevented the majority of INC Ransom's documented access methods: mandatory multifactor authentication on all remote access and privileged accounts, aggressive patch management for internet-facing systems — particularly Citrix, Fortinet, and remote management tools — monitoring and restriction of anomalous outbound data transfers, network segmentation to limit lateral movement, and regular offline or immutable backups tested under realistic recovery scenarios.

None of these controls require novel technology. The BeyondTrust assessment that INC Ransom relies on "legacy tactics" is supported by the advisory's own technical detail. Affiliates are buying old stolen credentials, exploiting vulnerabilities that carry patches now approaching two years old, and using commodity tools that trigger no alerts because they are legitimate software. The attack surface here is organizational — underfunded security teams, deferred patching, and MFA gaps — not a failure of the security technology market.

Key Takeaways

1. INC Ransom is a franchise, not a single actor: The RaaS model means TTPs vary by affiliate, making signature-based detection unreliable. The constant across incidents is the business objective — steal data, encrypt systems, demand payment — not the technical method of entry.
2. The Pacific is now an active theater: With eleven confirmed Australian incidents, a national health network disrupted in Tonga, and a New Zealand healthcare organization publicly extorted, Oceania is no longer peripheral to INC Ransom's operational map. The group consciously shifted westward after establishing its US and UK operations.
3. Named attribution is a signal of escalating consequence: The public identification of Roman Khubov as "blackod" and the inclusion of his photograph in an official government advisory is an unusual escalation. It reflects both the seriousness of the Tonga attack and the intent of regional governments to treat ransomware as a law enforcement matter rather than a pure cybersecurity problem.
4. Double extortion survives backup recovery: Organizations that maintain clean backups still face extortion over stolen data. Incident response planning must account for the public disclosure threat independently of the encryption recovery track.
5. The vulnerabilities being exploited have known patches: CVE-2023-3519 was patched in July 2023. CitrixBleed was disclosed in October 2023. Unpatched internet-facing systems remain INC Ransom's most reliable point of entry. Patch velocity is a direct indicator of organizational risk exposure to this group.

The March 2026 tri-nation advisory does not introduce a new threat. INC Ransom has been operating since 2023, and its tactics have been documented for over two years. What the advisory does introduce is a coordinated regional posture — Australia, New Zealand, and Tonga speaking with a single technical voice about a shared threat. For healthcare organizations across the Pacific, the message is not ambiguous: the attacks are ongoing, the methods are known, the defenses are available, and the window for acting before an incident rather than after one is closing.