INC Ransomware Group Holds Healthcare Hostage in Oceania

Steven

INC Ransomware Group Holds Healthcare Hostage in Oceania

Summary

INC, a prolific ransomware operation, has been aggressively targeting healthcare organisations across Australia, New Zealand and Tonga. A joint advisory from the Australian Cyber Security Centre (ACSC), CERT Tonga and New Zealand’s NCSC outlines a pattern of attacks that began with INC’s earlier activity in the US and UK but shifted into Oceania in 2024–2025. The group — operating as a ransomware‑as‑a‑service (RaaS) — commonly leverages purchased credentials from initial access brokers, spear‑phishing and exploited internet‑facing systems to gain entry, move laterally, escalate privileges, exfiltrate PII and PHI, then deploy encryption and extortion. Australia recorded 11 INC incidents between July 2024 and December 2025; Tonga suffered a major disruption to its Ministry of Health on 15 June 2025.

Authorities say INC’s methods are not novel: they exploit common security gaps. Recommended mitigations are straightforward — patching, multifactor authentication (MFA), restricting and monitoring remote access, and tighter network controls — but still not universally applied across the sector.

Key Points

  • INC has expanded its focus from the US/UK into Oceania, prioritising healthcare and professional services.
  • ACSC, CERT Tonga and New Zealand’s NCSC issued a joint advisory after multiple assaults, including a nationwide disruption of Tonga’s Ministry of Health on 15 June 2025.
  • Australian responses logged 11 INC incidents between July 2024 and December 2025, mainly affecting healthcare and professional services.
  • Common entry methods: compromised credentials bought from initial access brokers, spear‑phishing, and exploitation of exposed internet‑facing devices.
  • Post‑intrusion behaviour: lateral movement, privilege escalation to admin, data exfiltration (PII/PHI) and encryption; INC’s RaaS model means TTPs vary by affiliate.
  • Effective defences remain basic: enforce MFA, patch promptly, limit and monitor remote access, apply least privilege and adopt zero‑trust verification.

Context and relevance

This is a clear example of how organised cybercriminals scale by opportunity rather than local population size: smaller nations with centralised, resource‑limited infrastructure (like Tonga) can suffer outsized damage from a single intrusion. For healthcare providers and security teams across Oceania, the advisory is a wake‑up call — INC is targeting patient care environments where downtime has immediate, real‑world consequences. The story also highlights a persistent problem: many organisations still fail to close long‑known security gaps while attention drifts to emerging technologies such as AI.

Why should I read this

Short version: if you work in healthcare IT, run services for health providers, or manage national/civic networks in Oceania, this matters — badly. INC is knocking systems offline and stealing patient data using tried‑and‑tested tricks. Read this to get the quick tactical picture and the immediate, practical steps you should be checking off your list right now.

Source

Source: https://www.darkreading.com/threat-intelligence/inc-ransomware-healthcare-oceania