INC Ransomware Group Holds Healthcare Hostage in Oceania

Cybersecurity authorities in Australia, New Zealand, and Tonga have issued a joint advisory warning about the INC ransomware group's escalating attacks on healthcare organizations in Oceania. INC, which operates as a ransomware-as-a-service (RaaS), initially focused on the US and UK before expanding to Australia in mid-2024 and later to neighboring Pacific nations. The ACSC responded to 11 INC attacks in Australia between July 2024 and December 2025. In Tonga, INC targeted the national Ministry of Health, disrupting core health services. Attackers typically gain access via compromised credentials purchased from initial access brokers, then move laterally, escalate privileges, exfiltrate PII and health data, and deploy ransomware. Authorities have identified a specific threat actor, Roman Khubov ('blackod'), behind the Tonga attack. Security experts note INC is not using novel techniques but exploiting long-standing security gaps, recommending MFA, network monitoring, vulnerability patching, and credential hygiene as defenses.