Coast Guard Warns Maritime Sector of INC Ransom Attacks

The US Coast Guard Cyber Command issued a cybersecurity alert on May 1 warning that INC Ransom is actively targeting maritime transportation networks. The ransomware group is using spear-phishing, vulnerability exploitation, and purchased credentials to compromise ports, shipping companies, and logistics providers.

INC Ransom's Maritime Campaign

Coast Guard Cyber Command (CGCYBER) stated that INC Ransom "has demonstrated the capability to target the Maritime Transportation System using sophisticated and well-documented tactics, techniques, and procedures." The group operates a double-extortion model: encrypting victim networks while simultaneously threatening to publish stolen data unless ransoms are paid.

Active since mid-2023, INC Ransom has historically targeted healthcare, education, and government sectors across the US and Europe. The pivot to maritime and logistics represents an expansion into critical infrastructure that handles global trade.

For organizations unfamiliar with this threat model, our ransomware guide explains how double-extortion attacks create pressure from both operational disruption and data exposure.

Living Off the Land

The alert emphasizes INC Ransom's use of "living off the land" techniques—abusing native system tools and legitimate remote access utilities to blend malicious activity with normal network behavior. After gaining initial access, the attackers:

• Move laterally using built-in Windows administration tools
• Deploy legitimate remote management software for persistent access
• Use native encryption utilities to avoid deploying custom ransomware payloads until the final stage

This approach makes detection difficult because the malicious activity looks like normal IT operations until encryption begins.

Initial Access Vectors

According to CGCYBER and prior CISA reporting, INC Ransom gains initial access through:

1. Spear-phishing emails with malicious attachments or links
2. Vulnerability exploitation—including CVE-2023-3519 affecting Citrix NetScaler
3. Purchased credentials from initial access brokers on dark web marketplaces

The group has been observed buying compromised VPN and RDP credentials rather than conducting intrusions from scratch, suggesting a mature affiliate operation with dedicated access procurement.

Why Maritime Matters

Major global hub ports—including Rotterdam, Los Angeles, and Busan—have already experienced ransomware incidents that encrypted Terminal Operating Systems and halted container operations. The economic impact extends far beyond the immediate victim: a major port shutdown cascades through supply chains worldwide.

Maritime networks present attractive targets because:

• Operational technology integration: Ships and port facilities increasingly connect OT systems to IT networks for efficiency
• Pressure to pay: Disrupted shipping operations cost millions per day, incentivizing rapid ransom payments
• Legacy systems: Many maritime OT environments run outdated software that can't be easily patched

Recent Forescout research found 3.4 million RDP and VNC servers exposed to the internet, with manufacturing, transportation, and utilities significantly affected. Maritime organizations relying on remote access for distributed operations should audit their exposure.

Recommended Mitigations

CGCYBER recommends maritime organizations:

1. Implement network segmentation between IT and OT environments
2. Require MFA for all remote access, including VPN and remote desktop connections
3. Patch internet-facing systems promptly, particularly VPN concentrators and remote access gateways
4. Monitor for anomalous use of legitimate administration tools like PowerShell, PsExec, and RMM software
5. Maintain offline backups that cannot be accessed from production networks

The alert also urges organizations to report suspicious activity immediately to IT/security personnel and to CGCYBER through established reporting channels.

Industry Context

INC Ransom ranked among the five most active ransomware groups in Q1 2026, alongside Qilin, Akira, The Gentlemen, and DragonForce. The group's expansion into maritime follows a broader trend of ransomware operators targeting sectors with high operational pressure and limited tolerance for downtime.

The SystemBC C2 infrastructure recently exposed by researchers revealed operational links between multiple ransomware-as-a-service groups, suggesting these operations share access brokers and deployment infrastructure even when operating under different brands.

For maritime security teams, the Coast Guard advisory should trigger immediate network assessments. INC Ransom's documented capabilities and active targeting make this more than a theoretical concern.