cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

INC Ransom source code allegedly for sale as gang looks to transform

The source code for a major ransomware group is allegedly for sale after a threat actor began advertising it online.

user icon Daniel Croft
Wed, 15 May 2024
INC Ransom source code allegedly for sale as gang looks to transform
expand image

As discovered by cyber threat intelligence group KELA and first reported by Bleeping Computer, a threat actor by the name of “salfetka” posted online announcing the sale of source code belonging to the INC ransomware gang, a group responsible for a number of high-profile cyber attacks, such as on the US-Saudi Arabian Business Council, Australian builder The Village Building Co, and NHS Scotland, having recently published data.

The threat actor said that they have both Windows and Linux/ESXi versions in their post on the Exploit and XSSS hacking forums.

Potential buyers are limited to three purchases, which are priced at $300,000.


While the claims of the data being legitimate are currently unverified, there are a number of indicators that hint that the listings are real.

First, KELA said the technical details in salfetka’s post are consistent with previous analysis of INC Ransom samples, including the use of AES-128 in CTR and Curve25519 Donna.

Additionally, salfetka first appeared on the hacking forums in March and, from the beginning shared interest in buying network access for $7,000, offering initial access brokers a cut of the money he makes from ransomware attacks. He also includes both INC’s old and new dark web ransom page URLs in his signature, indicating he is connected to the group.

However, INC has not made any announcement about selling its source code, and salfetka could have curated this activity as a disguise.

The sale of the source code does come at an opportune time for INC, though, as it announced at the beginning of the month that it would be moving to a new leak site.

As seen by Bleeping Computer, KELA said this could indicate a shift in leadership or a split in the group, particularly as the two sites have some overlap, but the new site lists a dozen new victims.

“The discrepancies between the two sites may suggest that an operation may have experienced a leadership change or splitting into different groups,” said KELA.

“However, the fact that ‘salfetka’ has referenced both sites as his alleged projects suggests the actor is not related to just one part of the operation.”

“In this case, it is possible that the new blog was created in an attempt to gain more profits from the sale.”

Additionally, the new site seems to be a replacement, with INC saying the old site will be shut down in two to three months.

It is also worth noting that the design language of INC’s new site resembles that of another ransomware gang, Hunters International, which could indicate collaboration or that INC’s new malware uses Hunters International’s source code, adding fuel to the argument that INC would be looking to sell its old code.

Regardless, if the source code listed by salfetka is legitimate, it could encourage smaller threat actors to launch higher-profile attacks or provide an entry point for new threat actors.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.