I haven’t even had time to close the tab from writing about the TriZetto breach dumping 3.4 million patient records — that one genuinely made me sit back and stare at the wall for a minute — and here we are again. Same sector. Same ransomware-as-a-service playbook. Different corner of the planet. Today, March 12, 2026, a joint advisory from the Australian Cyber Security Centre (ACSC), New Zealand’s NCSC, and CERT Tonga dropped, officially flagging the INC Ransom group for ransomware and double-extortion campaigns specifically targeting Australian healthcare and professional services organizations. Eleven confirmed victims. July 2024 through December 2025. Eighteen months.

The advisory is live today. The attacks ran for a year and a half before the official public warning. Marinate on that. Eighteen months of INC Ransom affiliates carving through Australian healthcare organizations, stealing medical records, encrypting systems, and nobody issued a joint advisory until this morning. The horses are long gone. The barn is ash. But we are now formally informing everyone that there may have been a fire.

What the Advisory Actually Says

Per the joint ACSC, NCSC New Zealand, and CERT Tonga advisory published March 12, 2026, and covered in detail by Cyber News Centre, the INC Ransom group — also tracked as Tarnished Scorpion and GOLD IONIC by threat intelligence vendors — has been operating a mature Ransomware-as-a-Service (RaaS) platform with an active focus on the Asia-Pacific region since early 2025. Their affiliates have confirmed compromises of at least 11 Australian organizations between July 2024 and December 2025, with healthcare and professional services as the primary target verticals.

INC Ransom runs a classic RaaS model. Core group builds and maintains the ransomware platform, the infrastructure, the negotiation portals, the leak site. Affiliate criminals pay for access, deploy campaigns against their chosen targets, and split ransom proceeds with the core group. The barrier to entry is lower than a direct criminal operation. The geographic reach is broader because any affiliate anywhere can target anyone with the platform. What this means practically: there is no single INC Ransom operator. There are potentially dozens of affiliates running campaigns with this toolset simultaneously, and the countries they’re operating from may be entirely different from each other and from the core group.

The initial access methods listed in the advisory are three that should make every security team uncomfortable because they’re all preventable: spear-phishing, exploitation of unpatched internet-facing systems, and purchase of valid credentials from initial access brokers. Once inside, affiliates escalate privileges, move laterally to find the domain controllers and backup infrastructure, exfiltrate data — specifically including medical records — and then deploy the ransomware payload. Double extortion: pay or the data goes on their leak site for anyone to download.

The specific tools called out in the advisory are rclone and 7-Zip. These are not exotic malware tools. They are legitimate, widely installed utilities. rclone is a standard cloud sync and backup tool. 7-Zip is a free compression utility that lives on virtually every Windows machine. INC Ransom affiliates use them for data exfiltration because they blend into normal operational activity. Your monitoring sees rclone syncing data to a cloud destination and assumes it’s a scheduled backup job. It is not a scheduled backup job. It is 200 gigabytes of medical records heading to an attacker-controlled Rclone remote at 2 am.

The advisory also notes that INC Ransom attacks have extended beyond Australia to health networks in Tonga and New Zealand, demonstrating deliberate regional targeting rather than opportunistic victim selection. They’re going after Pacific-region healthcare systematically.

Why Healthcare Keeps Getting Hammered

If you work outside healthcare and you’re reading this thinking “not my sector, not my problem,” let me explain the dynamics precisely so you understand why this pattern isn’t going away.

Healthcare organizations get targeted because the operational pressure asymmetry is severe. When a logistics company gets hit with ransomware, they can absorb days of disruption while they restore from backups. It’s expensive, but nobody gets hurt waiting for medical treatment they can’t receive because the hospital’s systems are encrypted. When a hospital gets hit, elective procedures are cancelled, emergency patients are diverted to other facilities, medication records are inaccessible, lab results can’t be retrieved, and clinical staff work blind in a degraded paper environment that most healthcare organizations haven’t seriously operated in for over a decade. The pressure to pay — fast, without negotiating — is enormous. INC Ransom affiliates chose healthcare because they understand this pressure. It is not an accident.

The data theft component makes healthcare breaches qualitatively worse than financial data breaches. Medical records contain: full names, dates of birth, Medicare and Medicaid identifiers, Social Security numbers in many cases, diagnoses, treatment histories, prescription records, insurance information, and clinical notes. This data does not expire the way credit card data does. A diagnosis from 2019 is still a lever for coercion in 2036. Stolen medical records enable medical identity theft — fraudulent insurance claims submitted using real identities and real policy numbers — synthetic identity fraud built on real clinical data, and extremely targeted social engineering against individuals who have sensitive diagnoses they’d prefer not to be publicly associated with.

As I’ve documented in my research on how dark web extortion economics have industrialized cybercrime, the shift from opportunistic attacks to structured criminal enterprises with RaaS platforms, affiliate programmes, and specialized criminal roles is the direct cause of the healthcare targeting we’re seeing. The INC Ransom RaaS model is exactly that industrialization at scale. And for the TriZetto breach I wrote about yesterday, and for what INC Ransom is doing in Australia, the structural driver is the same: concentrated platforms holding sensitive data from multiple dependent organizations are high-value targets. Hit the platform once, hit everything that depends on it.

The advisory took 18 months to arrive after the first confirmed compromise. Part of that is legitimate operational security reasoning — you don’t want to warn the attacker that you’ve identified their campaign before you have enough to act on it. But the downstream effect is that healthcare organizations that could have had specific INC Ransom TTP guidance, IOCs, and detection signatures eighteen months ago didn’t have them. Some of them got hit in the meantime. The advisory is genuinely useful. It’s just also late.

What Went Wrong — The Three Entry Points You Can Shut

Let me describe the INC Ransom affiliate attack chain in terms of where defenders had windows to stop it.

Spear-phishing initial access: Works because email filtering isn’t reliably blocking sophisticated malicious attachments and links, because users in healthcare — clinical staff operating under workload pressure — aren’t reliably trained to recognize targeted phishing attempts that reference familiar internal systems, and because multi-factor authentication isn’t consistently deployed on every system that a phished credential could be used to access. Healthcare organizations often have a mix of legacy applications that don’t support modern MFA methods sitting alongside newer systems that do. The attacker finds the legacy gap and walks in.

Unpatched internet-facing systems: Healthcare has a genuine patch management problem that “just patch everything” doesn’t solve. Clinical systems frequently can’t be taken offline for maintenance during operating hours without disrupting patient care. Some clinical applications run on platforms that are technically end-of-life but haven’t been replaced because the replacement cost and migration complexity are prohibitive. Vendor support agreements sometimes restrict what OS-level patches can be applied without voiding support for the clinical application running on top. These are real operational constraints. They create real vulnerability windows. And INC Ransom affiliates scan for them because they know they exist in this sector.

Purchased credentials from access brokers: This one is the most invisible to traditional monitoring because it doesn’t look like an attack. Someone already compromised the account — possibly via a credential stuffing attack against a personal email address where the user reused their work password, possibly through a previous phishing incident that wasn’t detected, possibly through an entirely separate breach. The initial access broker packaged the credentials and sold them on a criminal forum. The INC Ransom affiliate bought them. The first login with those credentials looks legitimate because it uses the actual username and password. The anomaly is behavioral — it occurs from an unusual time, IP, or user agent — and if you don’t have the behavioral analytics to catch it, it’s invisible until the rclone job starts running at 2 am.

The Fixer’s Advice — Specific Defenses Right Now

This is addressed to every Australian healthcare and professional services organization reading this advisory. Here is what you do, in priority order.

1. Check your external attack surface immediately. INC Ransom affiliates exploit unpatched internet-facing systems for initial access. Pull your complete external exposure right now — every IP, every hostname, every port and service visible from the internet. This is not a quarterly scan task. It is a today task. Cross-reference every internet-facing service against the CISA KEV catalog and against known high-exploitation categories: VPN appliances, remote desktop services (RDP on port 3389 should not be directly internet-facing under any circumstances), internet-facing management consoles. Close everything that doesn’t need to be external. Patch everything that does, on an emergency timeline given active exploitation.

2. Deploy credential exposure monitoring. If credentials are being purchased from initial access brokers, your organizational email addresses and passwords have appeared in breach data somewhere. Services like HaveIBeenPwned’s enterprise API, SpyCloud, or equivalent credential monitoring platforms alert you when your org’s addresses appear in criminal datasets. This control is not expensive. It is frequently the earliest warning signal you get that an account may already be compromised. Act on every alert — not with a password reset notification, but with a session revocation, credential change, and login audit to determine whether the credential has already been used.

3. Harden your backup infrastructure first. INC Ransom affiliates deliberately identify and disable or encrypt backup systems before deploying the ransomware payload because they know organizations with intact, offline, tested backups can recover without paying. Your backup architecture needs: network segmentation from production environments (backups should live in a segment that cannot be reached from a compromised workstation or domain-joined server without additional access that is separately controlled), immutable backup storage where backup data cannot be modified or deleted by domain credentials, and — this one is non-negotiable — a tested recovery procedure that someone has actually walked through end-to-end, recently, and documented the time it takes. “We have backups” is not a ransomware defense. “We have tested, segmented, immutable backups with a documented recovery procedure that takes 18 hours and requires no domain credentials to initiate” is.

4. Set behavioral detection rules for rclone and 7-Zip in data-rich contexts. These tools are legitimate. The advisory called them out specifically. You need detection rules that flag: rclone running on file servers or clinical workstations, rclone syncing to external cloud destinations not in your authorized list, 7-Zip creating multi-part archives of large directory trees outside business hours, unusually large data volumes being written to removable media or cloud storage. Your EDR should be able to generate these alerts. If it can’t, this is a capability gap in your detection engineering that needs to be fixed before someone else’s rclone job starts in your environment.

5. Implement MFA everywhere — and I mean everywhere. Email. VPN. Remote desktop access. Clinical application portals. Active Directory. Every authentication point that remote work or external access touches needs MFA that does not rely solely on SMS (SIM-swap resistant MFA — hardware keys or authenticator app). The authenticated INC Ransom initial access vectors — phished credentials, purchased credentials — become significantly less useful if the attacker also needs the second factor. This does not replace fixing the other things. It raises the bar on the credential purchase vector significantly.

6. Feed the advisory IOCs into your SIEM tonight. The joint advisory contains specific indicators of compromise: IP addresses, domain names, file hashes, and behavioral signatures associated with INC Ransom affiliate campaigns. If you have a SIEM or threat intelligence platform, feed them in immediately. If you don’t, do a manual log search for the IP indicators going back six months. If INC Ransom affiliates were inside your environment before the advisory dropped, the indicators may be in your historical logs. Finding that out tonight is better than not finding out at all.

7. Run a targeted tabletop exercise this month. The scenario: it’s 11 pm Thursday. Your SOC analyst sees an alert — rclone running on a file server with elevated data transfer to an external destination. No other alerts. The on-call analyst has never seen this before. What happens? Who do they call? What do they escalate to? What’s the containment decision process? Most healthcare security teams have never walked through a scenario where the attacker is already inside and the initial indicator is subtle. Walking through it once reveals every gap in your detection, escalation, and response workflow while it’s still a drill.

The five eyes advisory is publicly available at the ACSC website. Get your security team reading it today. The indicators are actionable. The TTPs are specific. And the 11 Australian organizations that are already confirmed victims had the same systems, the same vulnerabilities, and the same credential exposure risks as the organizations that haven’t been hit yet.

The gap between “we haven’t been hit” and “we’re next” is not a technical gap. It’s a detection and hardening gap. Close it before the affiliate who already bought your credentials on a criminal forum decides it’s time to log in.