A joint advisory from ACSC, NCSC, and CERT Tonga warns of escalating INC Ransom ransomware attacks targeting organizations in Australia, New Zealand, and Pacific Island states. Active since mid-2023 and believed to be Russia-based, INC Ransom operates as a Ransomware-as-a-Service platform with a distributed affiliate model. Between July 2024 and December 2025, ACSC tracked 11 incidents primarily hitting healthcare and professional services. Notable incidents include a June 2025 attack on Tonga's Ministry of Health and a May 2025 breach of a New Zealand health organization. Affiliates gain access via spear-phishing, unpatched systems, and purchased credentials, then use tools like rclone, 7-Zip, and WinRAR for data exfiltration before deploying encryption. The advisory recommends backups, MFA, privileged access management, network traffic restriction, and vulnerability patching as key defenses.
Table of contents
The INC Ransom Affiliate Model and the RaaS EcosystemINC Ransom Incidents in AustraliaHealth Infrastructure Disruption in TongaRansomware Incident in New ZealandTechnical Tactics Used by INC RansomDefensive Measures Recommended by ACSC, NCSC, and CERT TongaGrowing Regional Collaboration Against the INC RansomSort: