INC Ransomware Expands Cross-Platform Capabilities Targeting Enterprise and Mainframe Infrastructure Across the Asia-Pacific Region

Published on 05-Jul-2026 15:00:00

BGD e-GOV CIRT has analyzed publicly available threat intelligence regarding an active INC ransomware campaign targeting organizations across the Asia-Pacific region. The analysis reveals a significant evolution in ransomware capabilities, with threat actors expanding beyond traditional Windows environments to support multiple enterprise computing architectures, including IBM Z (s390x), PowerPC, SPARC64, RISC-V, Linux, and VMware ESXi platforms.

The exposed attacker infrastructure contained ransomware payloads, Active Directory reconnaissance data, Group Policy deployment scripts, credential theft artifacts, custom data exfiltration tools, and victim information. The findings demonstrate a mature ransomware operation capable of compromising heterogeneous enterprise environments and critical infrastructure.

Although no confirmed victims have been identified in Bangladesh at the time of publication, organizations operating enterprise servers, virtualization platforms, Active Directory environments, or legacy computing systems should review their exposure and strengthen defensive controls.

Threat Overview

INC Ransomware is an active ransomware operation that continues to evolve its capabilities to target enterprise infrastructure. Recent analysis identified exposed operational servers containing deployment scripts, ransomware binaries, reconnaissance data, and custom tooling used during attacks.

Unlike conventional ransomware campaigns focused primarily on Windows systems, this campaign demonstrates deliberate expansion toward enterprise and mainframe environments through cross-platform payload development.

The campaign indicates increased targeting of critical infrastructure, virtualization platforms, and heterogeneous enterprise environments.

Technical Analysis

Exposed Operational Infrastructure

Threat intelligence analysis identified two exposed operational servers used by an INC ransomware affiliate.

· The first server functioned as a deployment staging environment hosting Windows ransomware payloads and Group Policy deployment scripts.

· The second server served as the operational working environment containing approximately 675 MB of attacker tooling, reconnaissance data, configuration files, credential artifacts, and exfiltrated victim information.

The recovered files provided valuable insight into attacker methodology throughout the intrusion lifecycle.

Active Directory Reconnaissance

The exposed infrastructure contained extensive Active Directory reconnaissance information, including:

·      Domain enumeration

·      Computer inventories

·      Organizational Units (OUs)

·      Group Policy Objects (GPOs)

·      Administrator Kerberos credential caches

·      Password cracking artifacts

The presence of Kerberos credential cache files indicates preparations for Pass-the-Ticket attacks and credential abuse within compromised enterprise environments.

Credential Theft and DPAPI Abuse

Analysis identified Active Directory Data Protection API (DPAPI) backup master keys among the recovered data.

Compromise of these backup keys enables attackers to decrypt domain-protected credentials offline, significantly increasing the likelihood of full Active Directory compromise.

Recovered tooling also included:

·      Administrator NTLM hashes

·      Chrome credential harvesting

·      Executive desktop collection

·      HR database targeting

·      ERP backup collection

Persistence Mechanisms

The attackers maintained long-term access through OpenVPN-based remote connectivity.

Recovered artifacts included:

·      OpenVPN configuration files

·      Persistent routing scripts

·      Session tokens

·      Session resume files

These mechanisms allow attackers to maintain authenticated access while bypassing standard authentication workflows.

Cross-Platform Ransomware Payloads

One of the most significant findings was the discovery of ransomware payloads compiled for multiple processor architectures.

Recovered payloads supported:

·      Windows

·      Linux

·      VMware ESXi

·      IBM Z (s390x)

·      IBM PowerPC

·      SPARC64

·      RISC-V

All Linux variants shared common build characteristics and implemented Curve25519 and Salsa20 encryption. The availability of these payloads indicates a strategic shift toward compromising enterprise and mission-critical infrastructure beyond traditional desktop environments.

Potential Impact

Successful exploitation may result in:

·      Full Active Directory compromise

·      Credential theft

·      Privilege escalation

·      Enterprise-wide ransomware deployment

·      Data exfiltration

·      Encryption of Linux and Windows servers

·      VMware ESXi encryption

·      Mainframe disruption

·      Operational downtime

·      Financial losses.

Download the Advisory as PDF Document