How will the transition of the program to other dimensions affect the overall cybersecurity landscape?
A cybercriminal under the nickname "salfetka" announced the sale of the source code of the ransomware program to INC Ransom. This program was launched in August 2023 and has been operating under the RaaS model ever since. Previously, INC Ransom attacked a division of Xerox Business Solutions in the United States, Yamaha Motor in the Philippines, and the National Health Service of Scotland.
Simultaneously with the announcement of the sale, security researchers began to observe some changes in the work of the group responsible for distributing the malware. This may indicate disagreements among its participants or plans to move to a new stage, which includes the use of a new cryptographer.
Hacker "salfetka" put up for sale versions of the INC Ransom program for Windows and Linux / ESXi on the Exploit and XSS forums for $300,000. According to KELA experts, the technical details specified in the ad, such as the use of AES-128 algorithms in CTR mode and Curve25519 Donna, coincide with public analyses of INC Ransom samples.
According to KELA, salfetka has been actively corresponding on hacker forums only since March 2024. Previously, this user wanted to buy access to the target network for up to $ 7,000 and offered entry-level brokers to reduce revenue from ransomware attacks.
However, cyber experts believe that the sale may turn out to be a scam. The salfetka hacker could have carefully prepared his account to create the appearance of legitimacy of the offer. Moreover, the official resources of INC Ransom have not yet made any public statements about the sale of the source code.
The only thing that works in favor of the hacker is the fact that he plans to sell the code through an intermediary-a guarantor, which can reduce the risks for a potential buyer.
In early May, the group INC Ransom announced the move to a new website and shared its address on the TOR network, saying that the old site will be closed in two to three months. No further information, even indirectly related to the sale of the source code, was received from the group.
The new design of the ransomware page visually resembles Hunters International, which may indicate a connection with another RaaS group. Using the source code of another operation can make it difficult for law enforcement agencies and researchers.
Meanwhile, privately selling the source code of ransomware programs for which there are no available decryptors can also create new problems for organizations around the world. These programs are bought by motivated hackers who want to improve their tools with more reliable and proven malicious code. This is especially true for the Linux / ESXi version, which is generally much more complex and expensive to develop.
A cybercriminal under the nickname "salfetka" announced the sale of the source code of the ransomware program to INC Ransom. This program was launched in August 2023 and has been operating under the RaaS model ever since. Previously, INC Ransom attacked a division of Xerox Business Solutions in the United States, Yamaha Motor in the Philippines, and the National Health Service of Scotland.
Simultaneously with the announcement of the sale, security researchers began to observe some changes in the work of the group responsible for distributing the malware. This may indicate disagreements among its participants or plans to move to a new stage, which includes the use of a new cryptographer.
Hacker "salfetka" put up for sale versions of the INC Ransom program for Windows and Linux / ESXi on the Exploit and XSS forums for $300,000. According to KELA experts, the technical details specified in the ad, such as the use of AES-128 algorithms in CTR mode and Curve25519 Donna, coincide with public analyses of INC Ransom samples.
According to KELA, salfetka has been actively corresponding on hacker forums only since March 2024. Previously, this user wanted to buy access to the target network for up to $ 7,000 and offered entry-level brokers to reduce revenue from ransomware attacks.
However, cyber experts believe that the sale may turn out to be a scam. The salfetka hacker could have carefully prepared his account to create the appearance of legitimacy of the offer. Moreover, the official resources of INC Ransom have not yet made any public statements about the sale of the source code.
The only thing that works in favor of the hacker is the fact that he plans to sell the code through an intermediary-a guarantor, which can reduce the risks for a potential buyer.
In early May, the group INC Ransom announced the move to a new website and shared its address on the TOR network, saying that the old site will be closed in two to three months. No further information, even indirectly related to the sale of the source code, was received from the group.
The new design of the ransomware page visually resembles Hunters International, which may indicate a connection with another RaaS group. Using the source code of another operation can make it difficult for law enforcement agencies and researchers.
Meanwhile, privately selling the source code of ransomware programs for which there are no available decryptors can also create new problems for organizations around the world. These programs are bought by motivated hackers who want to improve their tools with more reliable and proven malicious code. This is especially true for the Linux / ESXi version, which is generally much more complex and expensive to develop.
