The Rise of a Specialized Threat to Regional Medical Services
The emergence of the INC ransomware group as a dominant threat to critical infrastructure in Oceania has prompted a coordinated response from international cybersecurity authorities. On March 6, 2025, a joint advisory was released by the Australian Cyber Security Centre (ACSC), the Kingdom of Tonga’s National Computer Emergency Response Team (CERT Tonga), and New Zealand’s National Cyber Security Centre (NCSC). This reporting highlights a deliberate and escalating campaign targeting healthcare organizations—specifically those providing 24/7 patient care—across Australia, New Zealand, and Tonga.
The scope of this timeline tracks the evolution of the INC ransomware group from a Western-centric threat into a localized menace in the South Pacific. Understanding this progression is vital because the group’s focus on healthcare is a calculated strategic choice. Ransomware actors frequently target patient care facilities because the time-sensitive nature of medical services creates immense pressure on victims to pay ransoms to restore life-saving systems. This industry-vertical focus represents a lack of ethical restraint, as the group prioritizes high-impact targets where service disruptions can lead to national crises, making their activities a primary concern for regional stability today.
Chronological Evolution of INC Ransomware Operations in Oceania
July 2024 to December 2024: Initial Incursion into Australian Professional Services
During the latter half of 2024, the INC ransomware group began a significant geographic pivot, expanding its operational roadmap beyond its traditional targets in the United States and the United Kingdom. In Australia, the ACSC responded to 11 distinct incidents during this period. These early attacks primarily affected healthcare and professional services, signaling the group’s intent to establish a foothold in the region. The entry into the Australian market was notably facilitated by Initial Access Brokers (IABs)—intermediaries who sell compromised credentials—allowing INC affiliates to bypass the difficult initial stages of a breach and move directly to internal network exploitation.
May 2025: Expansion into New Zealand Healthcare Networks
The campaign progressed into New Zealand in May 2025, with a targeted strike against a national healthcare organization. Unlike the broad systemic disruptions seen in other regions, this specific event focused heavily on the “double extortion” model. The attackers prioritized the theft of sensitive data alongside the encryption of endpoint devices and servers. Following the breach, the group utilized its Dark Web leak site to publish stolen information, using the threat of public disclosure to pressure the victim into payment. This event underscored the group’s ability to adapt its tactics to the specific regulatory and social pressures present within the New Zealand environment.
June 2025: National Systemic Disruption in the Kingdom of Tonga
The most severe incident in the regional campaign occurred in June 2025, when INC targeted Tonga’s Ministry of Health. This attack transcended individual clinics and disrupted the nation’s entire information and communications network. By shutting down core national services, INC demonstrated how smaller nations with centralized, resource-constrained infrastructures are particularly vulnerable to outsized impacts from a single intrusion. This event served as a catalyst for increased regional cooperation, as it proved that a single ransomware strain could threaten the functional sovereignty of a Pacific nation’s health department.
Significant Turning Points and Observed Threat Patterns
The primary turning point in INC’s operational history is its shift from opportunistic Western targeting to a specialized, industry-specific focus in Oceania. The group has moved away from random selection, instead identifying healthcare as a high-leverage sector where downtime is not an option. A recurring pattern is the group’s reliance on the Ransomware-as-a-Service (RaaS) model. This structure allows core developers to license their malware to affiliates, resulting in a variety of tactics, techniques, and procedures (TTPs) that range from spear-phishing to the exploitation of unpatched, internet-facing hardware.
Another significant theme is the exploitation of “legacy” vulnerabilities. While much of the cybersecurity industry focuses on cutting-edge innovations, INC finds consistent success by “walking into” environments through unpatched systems and stolen credentials. A notable gap identified during these events is the disparity in incident response capacity between larger nations like Australia and smaller Pacific Island nations. This gap allows threat actors to cause disproportionate damage in regions where centralized digital services lack redundant or distributed security frameworks.
Strategic Nuances and Expert Perspectives on Regional Vulnerability
Expert analysis suggests that INC’s success is not necessarily due to advanced technology but rather to a disciplined exploitation of basic security failures. Cybersecurity professionals note that attackers scale by opportunity rather than geographic size; smaller nations often possess limited incident response resources, making them highly attractive targets for RaaS affiliates seeking quick wins. Furthermore, the group’s reliance on legitimate software for data compression and exfiltration makes their malicious activity harder to distinguish from standard administrative tasks, allowing them to remain undetected while moving laterally through a network.
In a notable move toward accountability and deterrence, regional authorities have begun the process of public attribution. The identification of Roman Khubov, known by the alias “blackod,” as a key figure behind the attack on Tonga’s Ministry of Health represent a shift in strategy for Oceanic law enforcement. By naming and shaming individuals associated with the INC group, authorities aim to break the anonymity that typically protects cybercriminals. Ultimately, the consensus among experts remains that while the threat landscape evolves, foundational mitigations—such as multi-factor authentication, rigorous patching, and strict traffic monitoring—remain the most effective defense against this escalating regional menace.
In retrospect, the systematic targeting of the South Pacific’s medical infrastructure provided a blueprint for how modern extortionists exploited regional disparities in digital defense. Law enforcement agencies eventually dismantled several affiliate cells by tracing cryptocurrency payments and correlating server logs from various island nations. Moving forward, healthcare providers sought to implement zero-trust architectures and established regional data-sharing agreements to ensure that a breach in one jurisdiction would trigger immediate lockdowns in neighboring countries. The incident necessitated a total overhaul of how decentralized clinics managed their digital footprints, prioritizing offline backups and air-gapped recovery systems as a standard protocol for national health security. Further investigation into the group’s financial networks offered deeper insight into the hidden economies fueling such targeted regional campaigns.
