Cybersecurity authorities in Oceania have issued a joint advisory regarding the INC ransomware operation, which has increasingly affected healthcare organizations across the region.
Healthcare facilities, including 24/7 patient care centers, require continuous availability, making them a frequent focus for financially motivated threat actors. INC aligns with this trend, prioritizing the healthcare sector at a higher rate than many comparable ransomware groups.
Historically, INC concentrated its operations in the United States and the United Kingdom. However, on March 6, the Australian Cyber Security Centre (ACSC), the Kingdom of Tonga’s National Computer Emergency Response Team (CERT Tonga), and New Zealand’s National Cyber Security Centre (NCSC) released a joint advisory detailing the group's shift toward Oceania. While the advisory broadly covers the group's targeting of critical networks, it primarily outlines the specific risks to the healthcare sector.
Regional shift in operations
Threat actors occasionally focus their methodologies on specific geographic regions or industry verticals, indicating a structured approach to identifying vulnerable infrastructure. The recent advisory outlines an operation that gradually shifted its attention to Oceania’s healthcare sector over several months.
According to the advisory, INC began prioritizing Australian organizations in the professional services and healthcare industries in the summer of 2024. This activity accelerated in 2025, expanding into neighboring New Zealand and Tonga. Tonga experienced a notable operational disruption to its national health services as a result.
Documented incidents in Australia, New Zealand, and Tonga
The ACSC responded to 11 INC ransomware incidents in Australia between July 2024 and December 2025. These events predominantly affected healthcare and professional services organizations. In most instances, the unauthorized parties gained initial access by acquiring compromised accounts from initial access brokers (IABs). Additionally, INC affiliates have used spear-phishing and leveraged known vulnerabilities in internet-facing devices to establish a foothold. Because INC operates under a ransomware-as-a-service (RaaS) model, the specific tactics, techniques, and procedures (TTPs) vary depending on the affiliate managing the event.
Following initial access, the operators typically move laterally across the network and escalate privileges to the administrator level. From there, they deploy encryption software alongside a ransom note. In several documented cases, they have also exfiltrated personally identifying information (PII) and protected health information (PHI). INC relies on legitimate software utilities to compress and transfer data out of the affected environments.
The advisory notes that New Zealand faces a broader range of opportunistic threats across multiple industries. INC specifically impacted a New Zealand healthcare organization in May 2025. During this incident, the group encrypted servers and endpoint devices, exfiltrated a large volume of sensitive data, and subsequently published the information on a dark web leak site.
In Tonga, INC focused directly on the Ministry of Health (MoH). On June 15, 2025, the group disrupted MoH information and communications networks, halting core national health services. Authorities have attributed the Tonga incident to Roman Khubov, who operates under the alias "blackod," and published identifying photographs in the advisory.
"Attackers don’t scale by local size but by opportunity," notes Keeper Security CISO Shane Barney. "Smaller nations often rely on centralized, resource-constrained infrastructure, which can make them proportionally more vulnerable. They may not see the volume of attacks larger economies face, but even a single successful intrusion can have outsized impact, and incident response capacity may be more limited."
Defensive measures and mitigations
To protect networks against INC ransomware and similar operations, Oceania cybersecurity authorities advise organizations to implement foundational security controls. These include monitoring and restricting network traffic, auditing remote access points, enforcing multifactor authentication (MFA) across all applicable systems, and maintaining a strict vulnerability management and patching schedule.
"INC is not employing new or advanced tactics to compromise this industry, instead they are using what I refer to as legacy tactics to compromise organizations," states Christopher Hills, chief security strategist at BeyondTrust. "These threat actors are walking right into the environments with valid credentials. This just reinforces several points we have been talking about for years: verify everything, to every resource, control your threat field, patch vulnerable systems, stop exposing vulnerable system on the public Web."
Hills observes that operations like INC demonstrate that many organizations still need to address fundamental security gaps, even as industry attention frequently shifts toward newer technologies like artificial intelligence (AI).
We recommend that security teams review their internet-facing infrastructure and authentication requirements to ensure these foundational protections are effectively deployed. Partnering across IT and security teams to validate access controls, test backups, and refine incident response plans remains one of the most effective ways to safeguard critical patient care environments from disruption.