In early March 2026, the Australian Cyber Security Centre (ACSC), in collaboration with cyber authorities in New Zealand and Tonga, issued a joint advisory warning for Australian businesses about the growing threat from the ransomware group INC Ransom. This warning is important as this cyber threat, explicitly targets small and medium businesses (SMBs) and confirms that INC Ransom activity is now active across Australia and the Pacific region, particularly in sectors handling sensitive information.
The following article explains how INC Ransom operates, why its affiliate model makes it especially dangerous for SMBs, and what double‑extortion ransomware actually is in practical terms for Australian businesses.
Who is INC Ransom?
According to the ACSC, INC Ransom is a financially motivated ransomware group that emerged in mid‑2023. It operates using a Ransomware‑as‑a‑Service (RaaS) model. Rather than a single cyber group carrying out every attack, INC Ransom simply provides its ransomware platform to a network of affiliates who perform the intrusions on their behalf.
While INC Ransom initially focused on victims in the United States and United Kingdom, Australian and regional authorities confirm that since early 2025 the group has increasingly targeted organisations in Australia, New Zealand and the Pacific Island states.
The group is also tracked by other threat‑intelligence names these include – Tarnished Scorpion and GOLD IONIC.
Why the Affiliate Model Matters to SMBs
The key reason INC Ransom is such a serious risk to SMBs is its affiliate‑based operating model.
Under this model:
- The core INC Ransom operators maintain the ransomware software, payment infrastructure and data‑leak sites.
- Affiliates – often different threat actors – carry out the actual network intrusions and the ransomware deployment.
- Ransom payments are then shared between the affiliate and the core operators.
For SMBs, this model increases risk because it lowers the technical barrier to entry for attackers. Affiliates may already have:
- Access to compromised credentials purchased from initial access brokers or the dark web
- Experience exploiting unpatched, internet‑facing systems or operating systems
- Familiarity with common business IT environments such as Microsoft 365, VPNs, Remote Desktop and remote management tools (RMM)
As a result, SMBs are not “too small” to be targeted. The affiliate model allows many attackers to operate simultaneously, greatly increasing the number of potential victims.
How INC Ransom Attacks Typically Begin
The ACSC advisory identifies two primary initial access methods used by the INC Ransom affiliates:
- Compromised credentials
Affiliates use stolen or purchased usernames and passwords to access remote services such as VPNs, email or remote desktop. - Exploitation of public‑facing vulnerabilities
Unpatched internet‑exposed systems are targeted to gain an initial foothold in the network.
Once access is achieved, affiliates have been observed:
- Creating new privileged accounts (administrator accounts)
- Moving laterally across the network
- Compressing and staging data for exfiltration
- Deploying the ransomware after sensitive data has been stolen
What “Double‑Extortion” Really Means
INC Ransom affiliates are confirmed to use double extortion tactics. This method significantly raises the pressure on victims and SMB’s.
Double‑extortion involves two simultaneous threats:
- Encryption of systems and files, thereby disrupting business operations
- Theft of sensitive data, with threats to publish that data on a public “data leak site or dark web” if the ransom payment is not made
For SMBs, this changes the risk profile entirely. Even if good backups exist, organisations may still face:
- Exposure of client or in the health care sector – patient information
- Privacy and regulatory consequences both industry and government
- Loss of trust and reputational damage to vendors and customers
Australian authorities explicitly warn that affiliates steal data before encryption to maximise leverage during ransom negotiations.
Australian Impact and Targeted Sectors
The joint advisory confirms that INC Ransom activity has already impacted Australian organisations, with a strong concentration in:
- Health Care Services
- Financial Services
- Professional Services
- Other organisations handling high‑value or sensitive data
Authorities note that operational pressure in these sectors, where downtime has serious consequences, makes them attractive targets for double‑extortion ransomware.
Why This Matters for Australian SMBs
The ACSC advisory is written explicitly for small and medium businesses in Australia, not just enterprises or government departments. This confirms that:
- SMB networks are being actively targeted today
- Attackers rely on common weaknesses such as weak credentials, exposed services and inconsistent patching
- This affiliate model means attacks can scale rapidly across many organisations at once
In short, INC Ransom does not require a business to be large, famous or wealthy – just accessible.
What Australian Cyber Authorities Recommend
While the advisory does not provide step‑by‑step instructions, Australian and regional cyber agencies strongly encourage organisations to apply the mitigations outlined in the joint guidance, many of which align directly with the Australian Cyber Security Centre’s Essential Eight, to reduce risk and improve detection.
This includes focusing on:
- Credential security – Strong passwords and mandatory multi factor authentication (MFA)
- Hardening internet‑facing services – If operating systems or software must be internet facing ensure robust firewalls and focused patching
- Privileged access control – Limit privileged access control at all times
- Backup and recovery preparedness – Confirm backups are backing up all required data, validate backups on a regular basis
How the Australian Cyber Security Institution Can Help
INC Ransom highlights a broader reality for Australian SMBs: cyber threats are now organised, scalable and of course financially motivated.
The Australian Cyber Security Institution helps businesses:
- Assess exposure to ransomware and credential‑based attacks
- Identify gaps in access control, patching and backup resilience
- Prepare for both operational disruption and data‑exposure scenarios
- Build a defensible cyber security posture aligned with Australian guidance
If you are unsure whether your organisation would withstand a double‑extortion ransomware attack, an independent cyber security assessment is the most effective place to start.
