Australia, New Zealand, Tonga, Warn of Rising INC Ransom Attacks Targeting Pacific Networks

A joint advisory from the Australian Cyber Security Centre (ACSC), New Zealand NCSC, and CERT Tonga warns that the INC Ransom affiliate-driven RaaS ecosystem is increasingly targeting healthcare and other high-value organizations across Australia, New Zealand, and Pacific Island states, using tactics like spear-phishing, exploitation of unpatched internet-facing systems, purchased credentials, and legitimate tools for exfiltration. The advisory links disruptive incidents — including a June 15, 2025 attack on Tonga’s Ministry of Health — to INC Ransom (also known as Tarnished Scorpion / GOLD IONIC) and identifies Roman Khubov (aka blackod) as controlling infrastructure used in data exfiltration; #INCRansom #CERTTonga

Keypoints

ACSC, NCSC, and CERT Tonga issued a joint advisory warning of rising INC Ransom activity targeting organizations across Australia, New Zealand, and Pacific Island states, with emphasis on healthcare providers.
INC Ransom operates as a Ransomware-as-a-Service (RaaS) platform with an affiliate model that separates intrusion/deployment (affiliates) from extortion/negotiation (core operators).
ACSC reported 11 incidents attributed to INC Ransom affiliates in Australia between 1 July 2024 and 31 December 2025, primarily affecting professional services and health care; activity shifted toward the Pacific region since early 2025.
On 15 June 2025 the Tongan Ministry of Health suffered a disruptive ransomware incident linked to INC Ransom; investigators found a ransom note and the group claimed responsibility on its dark-web leak site on 26 June 2025.
INC Ransom affiliates commonly gain initial access via spear-phishing, exploitation of unpatched internet-facing systems, and purchased credentials, then escalate privileges (create admin accounts), move laterally, exfiltrate data using legitimate tools (7-Zip/WinRAR, rclone), and deploy encryption followed by double-extortion.
The advisory recommends practical mitigations including reliable, tested backups, restricted network traffic, hardened remote access, phishing-resistant MFA, strict privileged access management, and timely vulnerability management, and calls for continued regional collaboration and intelligence sharing.

MITRE Techniques

[T1566 ] Phishing – Initial access via targeted spear-phishing campaigns against employees (‘Spear-phishing campaigns targeting employees’)
[T1190 ] Exploit Public-Facing Application – Gaining access by exploiting unpatched internet-facing systems (‘Exploitation of unpatched internet-facing systems’)
[T1078 ] Valid Accounts – Use of purchased credentials from initial access brokers to authenticate into victim environments (‘Purchased credentials from initial access brokers’)
[T1136 ] Create Account – Privilege escalation by creating new administrator-level accounts after initial access (‘creating new administrator-level accounts’)
[T1021 ] Remote Services – Lateral movement through internal systems to expand control across the network (‘move laterally through internal systems to expand control within the network’)
[T1560.001 ] Archive Collected Data (Compression) – Use of compression tools to package data prior to theft (7-Zip and WinRAR) (‘7-Zip and WinRAR are used to compress data before theft’)
[T1567.002 ] Exfiltration to Cloud Storage – Use of rclone to transfer stolen data outside the network (‘The file synchronization tool rclone is frequently used to transfer stolen data outside the network’)
[T1486 ] Data Encrypted for Impact – Deployment of INC Ransom’s encryption component to render systems inaccessible (‘After data exfiltration, attackers deploy the encryption component of INC Ransom. A ransom note is then left on affected systems’)

Indicators of Compromise

[File Name ] Malware/loader filename observed during deployments – win.exe
[Tools/Software ] Legitimate utilities used in intrusion and exfiltration – 7-Zip, WinRAR, rclone
[Data Leak Site ] Public claims and data publication platform used for extortion – INC Ransom Tor-based data leak site (Tor-based DLS)
[Threat Actor / Alias ] Individuals and group aliases linked to the operation and infrastructure – Roman Khubov (aka blackod), Tarnished Scorpion (also referenced as GOLD IONIC)