Ddos 
A new joint advisory released by the Australian Cyber Security Centre (ACSC), CERT Tonga, and New Zealand’s National Cyber Security Centre (NCSC) has issued a warning regarding the growing threat of INC Ransom. Emerging in mid-2023, this financially motivated group has shifted its sights from the US and UK to disproportionately target high-value entities in the Pacific region since early 2025.
INC Ransom operates under a Ransomware-as-a-Service (RaaS) model. While the core group manages the extortion and payment infrastructure, a network of affiliates carries out the actual breaches. According to the advisory, these affiliates primarily gain initial access through spear-phishing campaigns, purchased credentials, or by exploiting known vulnerabilities in unpatched, internet-facing devices.
Once inside a network, the group employs “double extortion” tactics. As the advisory explains: “Affiliates steal sensitive data, encrypt files, and threaten to publish stolen data via their data leak site (DLS), to pressure organisations into paying the ransom.”
The health care sector has been hit particularly hard. Notable incidents highlighted in the report include:
- Australia: Between July 2024 and December 2025, the ACSC responded to 11 incidents where affiliates moved laterally within networks and exfiltrated medical and personally identifiable information.
- Kingdom of Tonga: In June 2025, a massive attack on the Ministry of Health (MoH) disrupted the national health care network. The advisory specifically identifies the cybercriminal Roman Khubov (alias “blackod”) as the individual who controlled the infrastructure used for data exfiltration in this case.
- New Zealand: In May 2025, a health sector organization suffered a “devastating” breach that resulted in mass encryption of servers and the publication of stolen data on the INC Ransom leak site.
Security agencies are urging network defenders to move beyond basic defenses.
- Prioritize MFA: Implement phishing-resistant multi-factor authentication, especially for internet-facing services and administrative accounts.
- Harden Vulnerability Management: Regularly scan for known flaws and apply security patches to operating systems and applications in a timely manner.
- Restrict Management Tools: Monitor and limit the use of remote tools like TeamViewer and AnyDesk to authorized personnel only.
- Maintain Immutable Backups: Ensure critical systems and data are regularly backed up and stored in a way that prevents unauthorized modification or deletion.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
