February 20, 2024 at 11:30AM
The alleged source code for the third version of the Knight ransomware, previously known as Cyclops, is being sold to a single buyer on a hacker forum by a representative of the operation. The sale includes the source code of the panel and the locker, written in Glong C++. Version 3.0 includes faster encryption and other improvements.
From the meeting notes, it is clear that KELA, a cyber-intelligence firm, has uncovered details about the sale of the source code for the Knight 3.0 ransomware on hacker forums. The ransomware, initially launched as a re-brand of the Cyclops operation, targeted Windows, macOS, and Linux/ESXi systems.
The advertisement for the sale of the source code was posted by someone using the alias Cyclops, who is known as a representative of the Knight ransomware gang. The source code includes the panel and the locker, all written in Glong C++. Version 3.0 of the ransomware was released with improvements such as faster encryption and support for more recent versions of the ESXi hypervisor.
The seller did not specify a price, but emphasized that the source code would only be sold to a single buyer, preserving its value as a private tool. Potential buyers are instructed to reach out using contact addresses for Jabber and TOX messaging services.
KELA’s dark web monitoring tools found no recent activities from Knight’s representatives and noted that the ransomware operation’s victim extortion portal is currently offline. This, coupled with the lack of forum activities since December 2023 and the claim of breaching 50 organizations since July 2023, raises the possibility that the group may be looking to close shop and sell their assets.
In summary, based on the meeting notes, it seems that the Knight ransomware operation is inactive, and the group may be seeking to sell their assets, including the source code for their ransomware.