Threat actor: INC ransomware's Rust rewrite and BYOVD evolution

Acronis and The Hacker News documented the evolution of INC ransomware into a top-tier RaaS — 830+ victims since 2023, fourth in Q1 2026 — with a Rust rewrite of its Windows and Linux/ESXi encryptors, BYOVD EDR-termination using the drivers filwfp.sys / filnk.sys / fildds.sys (the same set seen in earlier Vanilla Tempest campaigns), a Veeam credential dumper for backup infrastructure, and two source-code-leak-derived variants (Lynx, Sinobi) (Acronis TRU, 2026-06-18; The Hacker News, 2026-06-19). The geography is incidental for a CH/EU SOC — the cited reporting puts the majority of INC's victims in the US — but the tradecraft is not: the three BYOVD drivers (shared with earlier Vanilla Tempest campaigns), the Veeam backup-credential dumper, and the cross-platform Rust encryptor are detection content that generalises to any victim. Detect the three BYOVD drivers via driver-load events with a hash blocklist, alert on Veeam process-memory access from unexpected parents, and keep backup systems MFA-protected and network-isolated.