iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The source code for a major ransomware group is allegedly for sale after a threat actor began advertising it online.
As discovered by cyber threat intelligence group KELA and first reported by Bleeping Computer, a threat actor by the name of “salfetka” posted online announcing the sale of source code belonging to the INC ransomware gang, a group responsible for a number of high-profile cyber attacks, such as on the US-Saudi Arabian Business Council, Australian builder The Village Building Co, and NHS Scotland, having recently published data.
The threat actor said that they have both Windows and Linux/ESXi versions in their post on the Exploit and XSSS hacking forums.
Potential buyers are limited to three purchases, which are priced at $300,000.
While the claims of the data being legitimate are currently unverified, there are a number of indicators that hint that the listings are real.
First, KELA said the technical details in salfetka’s post are consistent with previous analysis of INC Ransom samples, including the use of AES-128 in CTR and Curve25519 Donna.
Additionally, salfetka first appeared on the hacking forums in March and, from the beginning shared interest in buying network access for $7,000, offering initial access brokers a cut of the money he makes from ransomware attacks. He also includes both INC’s old and new dark web ransom page URLs in his signature, indicating he is connected to the group.
However, INC has not made any announcement about selling its source code, and salfetka could have curated this activity as a disguise.
The sale of the source code does come at an opportune time for INC, though, as it announced at the beginning of the month that it would be moving to a new leak site.
As seen by Bleeping Computer, KELA said this could indicate a shift in leadership or a split in the group, particularly as the two sites have some overlap, but the new site lists a dozen new victims.
“The discrepancies between the two sites may suggest that an operation may have experienced a leadership change or splitting into different groups,” said KELA.
“However, the fact that ‘salfetka’ has referenced both sites as his alleged projects suggests the actor is not related to just one part of the operation.”
“In this case, it is possible that the new blog was created in an attempt to gain more profits from the sale.”
Additionally, the new site seems to be a replacement, with INC saying the old site will be shut down in two to three months.
It is also worth noting that the design language of INC’s new site resembles that of another ransomware gang, Hunters International, which could indicate collaboration or that INC’s new malware uses Hunters International’s source code, adding fuel to the argument that INC would be looking to sell its old code.
Regardless, if the source code listed by salfetka is legitimate, it could encourage smaller threat actors to launch higher-profile attacks or provide an entry point for new threat actors.
Be the first to hear the latest developments in the cyber industry.
