Australian and Pacific cyber authorities have issued a joint warning on the INC Ransom group, citing ongoing ransomware and data‑extortion activity affecting organisations across Australia, New Zealand, and Pacific island states, including entities in the health and professional services sectors.
In a March 6 advisory, the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) said: “We have released a joint advisory with Kingdom of Tonga’s National Computer Emergency Response Team (CERT Tonga) and the New Zealand National Cyber Security Centre (NCSC) about the operations of ransomware group INC Ransom and their affiliate network, and the threat that their operations are posing to networks hosted in Australia and the Pacific.”
INC Ransom is described as a financially motivated operation that provides ransomware‑as‑a‑service (RaaS) to an affiliate network. According to the advisory, affiliates obtain initial access through spear‑phishing campaigns, exploitation of unpatched internet‑facing systems, and the use of valid credentials purchased from initial access brokers. After gaining a foothold, they have been observed creating new privileged accounts, moving laterally within networks, compressing data with legitimate tools, and exfiltrating information before encrypting systems. The group’s approach uses double extortion. Victims receive a ransom note setting out the demand and contact channels, including links to a Tor‑based data leak site. If payment is not made, INC Ransom lists the organisation on its site and publishes stolen data. The group is also tracked under the names Tarnished Scorpion and GOLD IONIC.
ACSC figures indicate that from July 1, 2024, to Dec. 31, 2025, 11 reported INC Ransom incidents were recorded in Australia, with most affecting professional services and health care organisations. Since January 2025, affiliates have been observed targeting Australian health entities using compromised accounts, then establishing new administrator‑level profiles and deploying malicious files, including executables such as “win.exe,” to support further activity. In some cases, personally identifiable and medical information was taken before ransom demands were issued.
In the Kingdom of Tonga, the Ministry of Health’s ICT environment was affected by ransomware on June 15, 2025, disrupting access to core systems and services in the national health network. A ransom note attributed to INC Ransom was subsequently identified in the ministry’s systems, and the group claimed responsibility on June 26, 2025, via its dark web data leak site. Authorities linked infrastructure used for data exfiltration in the incident to cybercriminal Roman Khubov, also known as “blackod.”
New Zealand’s NCSC has reported continuing ransomware and data‑extortion cases across multiple sectors. In May 2025, a health‑sector organisation notified the NCSC that a large portion of its servers and endpoints had been encrypted and that a significant amount of data had been removed. INC Ransom later claimed the attack and published the stolen dataset on its leak site. Authorities note that INC Ransom’s tactics, techniques, and procedures overlap with those of other RaaS operations, including Lynx ransomware and earlier families such as Nemty, Karma, and Nokoyawa, and that these similarities are reflected in current guidance for network defenders.
Recent ACSC reporting points to a high volume of cyber activity affecting Australian organisations. In fiscal 2024‑25, ACSC answered more than 42,500 calls to the Australian Cyber Security Hotline, a 16% increase on the prior year, averaging 116 calls a day. The agency responded to more than 1,200 cyber incidents, up 11%, and notified entities over 1,700 times about potentially malicious cyber activity, an 83% year‑on‑year rise. ReportCyber received more than 84,700 cybercrime reports during the period, or roughly one report every six minutes. Identity fraud remained the most frequently reported cybercrime type. ACSC also handled more than 200 denial‑of‑service and distributed denial‑of‑service incidents, an increase of more than 280% from the previous year.
Self‑reported financial impacts increased over the same period. Individuals reported an average cost of $33,000 per cybercrime incident. Businesses recorded a mean cost of $80,850, up 50%, with small businesses at $56,600, medium‑sized firms at $97,200 and large organisations at $202,700 per incident. Critical infrastructure operators received more than 190 notifications of possible malicious activity on their networks, up 111% from the previous year. Officials also point to the continued use of “living off the land” techniques and the adoption of artificial intelligence by threat actors, which they assess as contributing to more scalable and faster operations.
Findings from an independent survey commissioned by Sophos, covering 3,400 organisations hit by ransomware globally and including 191 in Australia between January and March 2025, add further context for risk carriers and insureds. All respondents were from organisations with 100 to 5,000 employees and reported on their experiences over the previous 12 months. Among Australian respondents, exploited vulnerabilities were cited as the most frequent technical root cause of attack, at 28%, followed by phishing at 24% and compromised credentials at 21%.
On the operational side, 45% reported a lack of protection as a contributing factor, 44% pointed to limited people or capacity, and 41% said both known and unknown security gaps played a role. In 33% of Australian cases, data was encrypted, down from 49% in the 2024 survey and below the global average of 50%. Where data was encrypted, 35% of organisations also experienced data theft, up from 20% the previous year, indicating continued use of both encryption and data exfiltration in attacks.
Ninety‑eight per cent (98%) of Australian organisations that had data encrypted reported they ultimately recovered it. Forty‑one percent said they paid the ransom and restored data that way, down from 66% a year earlier, while 67% used backups, compared with 72% in the previous survey period. The median ransom demand in Australia over the period was US$217,000, below the US$4.42 million median reported in 2024. Among respondents whose organisations paid and disclosed the amount, the median payment was US$350,000. On average, Australian organisations paid about 88% of the initial demand, with 52% paying less than first requested, 24% paying the same, and 24% paying more. Excluding any ransom payment, the mean cost to recover from a ransomware incident for Australian organisations was US$650,000, down from US$2.37 million in 2024. This figure covers downtime, staff time, device and network remediation, and foregone business. Recovery timelines also changed: 47% reported full recovery within a week, up from 36% the previous year, while 13% took between one and six months, down from 33%.
The combination of incident statistics, sector‑specific case studies, and survey data is relevant to cyber and broader financial lines portfolios, particularly where health care, professional services, and critical infrastructure risks are in scope. Authorities recommend that organisations and government ministries maintain and test offline backups, restrict network traffic to business‑critical services, harden and monitor remote access, limit remote management tools to authorised administrators, enforce phishing‑resistant multi‑factor authentication, and operate structured vulnerability management programs that prioritise internet‑facing assets.
Guidance also addresses the increased use of third‑party services and operational technology, highlighting the role of contractually defined security standards, vendor‑risk oversight, and documented incident response plans. ASD’s materials advise that businesses adopt an “assume compromise” posture, identify and protect critical assets, enhance logging, replace legacy IT where feasible, and prepare for changes in cryptography and AI‑enabled tooling. These developments are likely to be considered in underwriting questions on patch management, access control, logging, backup architecture, vendor management, and incident response readiness, as well as in portfolio‑level accumulation assessments involving health care and critical infrastructure classes.
